Configuring Security on VSP Operating
System Software
NN47227-601
Issue 10.03
December 2017
© 2017, Extreme Networks, Inc.
All Rights Reserved.
Notice
While reasonable efforts have been made to ensure that the
information in this document is complete and accurate at the time of
printing, Extreme Networks, Inc. assumes no liability for any errors.
Extreme Networks, Inc. reserves the right to make changes and
corrections to the information in this document without the obligation
to notify any person or organization of such changes.
Documentation disclaimer
“Documentation” means information published in varying mediums
which may include product information, operating instructions and
performance specifications that are generally made available to users
of products. Documentation does not include marketing materials.
Extreme Networks shall not be responsible for any modifications,
additions, or deletions to the original published version of
Documentation unless such modifications, additions, or deletions
were performed by or on the express behalf of Extreme Networks.
End User agrees to indemnify and hold harmless Extreme Networks,
Extreme Networks’ agents, servants and employees against all
claims, lawsuits, demands and judgments arising out of, or in
connection with, subsequent modifications, additions or deletions to
this documentation, to the extent made by End User.
Link disclaimer
Extreme Networks is not responsible for the contents or reliability of
any linked websites referenced within this site or Documentation
provided by Extreme Networks. Extreme Networks is not responsible
for the accuracy of any information, statement or content provided on
these sites and does not necessarily endorse the products, services,
or information described or offered within them. Extreme Networks
does not guarantee that these links will work all the time and has no
control over the availability of the linked pages.
Warranty
Extreme Networks provides a limited warranty on Extreme Networks
hardware and software. Refer to your sales agreement to establish
the terms of the limited warranty. In addition, Extreme Networks’
standard warranty language, as well as information regarding support
for this product while under warranty is available to Extreme
Networks customers and other parties through the Extreme Networks
Support website: http://www.extremenetworks.com/support under the
link ““Policies” or such successor site as designated by Extreme
Networks. Please note that if You acquired the product(s) from an
authorized Extreme Networks Channel Partner outside of the United
States and Canada, the warranty is provided to You by said Extreme
Networks Channel Partner and not by Extreme Networks.
“Hosted Service” means an Extreme Networks hosted service
subscription that You acquire from either Extreme Networks or an
authorized Extreme Networks Channel Partner (as applicable) and
which is described further in Hosted SAS or other service description
documentation regarding the applicable hosted service. If You
purchase a Hosted Service subscription, the foregoing limited
warranty may not apply but You may be entitled to support services
in connection with the Hosted Service as described further in your
service description documents for the applicable Hosted Service.
Contact Extreme Networks or Extreme Networks Channel Partner (as
applicable) for more information.
Hosted Service
THE FOLLOWING APPLIES ONLY IF YOU PURCHASE AN
EXTREME NETWORKS HOSTED SERVICE SUBSCRIPTION
FROM EXTREME NETWORKS OR AN EXTREME NETWORKS
CHANNEL PARTNER (AS APPLICABLE), THE TERMS OF USE
FOR HOSTED SERVICES ARE AVAILABLE ON THE EXTREME
NETWORKS WEBSITE, https://extremeportal.force.com OR SUCH
SUCCESSOR SITE AS DESIGNATED BY EXTREME NETWORKS,
AND ARE APPLICABLE TO ANYONE WHO ACCESSES OR USES
THE HOSTED SERVICE. BY ACCESSING OR USING THE
HOSTED SERVICE, OR AUTHORIZING OTHERS TO DO SO, YOU,
ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU
ARE DOING SO (HEREINAFTER REFERRED TO
INTERCHANGEABLY AS “YOU” AND “END USER”), AGREE TO
THE TERMS OF USE. IF YOU ARE ACCEPTING THE TERMS OF
USE ON BEHALF A COMPANY OR OTHER LEGAL ENTITY, YOU
REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH
ENTITY TO THESE TERMS OF USE. IF YOU DO NOT HAVE SUCH
AUTHORITY, OR IF YOU DO NOT WISH TO ACCEPT THESE
TERMS OF USE, YOU MUST NOT ACCESS OR USE THE
HOSTED SERVICE OR AUTHORIZE ANYONE TO ACCESS OR
USE THE HOSTED SERVICE.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE
EXTREME NETWORKS WEBSITE, https://extremeportal.force.com
OR SUCH SUCCESSOR SITE AS DESIGNATED BY EXTREME
NETWORKS, ARE APPLICABLE TO ANYONE WHO
DOWNLOADS, USES AND/OR INSTALLS EXTREME NETWORKS
SOFTWARE, PURCHASED FROM EXTREME NETWORKS, INC.,
ANY EXTREME NETWORKS AFFILIATE, OR AN EXTREME
NETWORKS CHANNEL PARTNER (AS APPLICABLE) UNDER A
COMMERCIAL AGREEMENT WITH EXTREME NETWORKS OR
AN EXTREME NETWORKS CHANNEL PARTNER. UNLESS
OTHERWISE AGREED TO BY EXTREME NETWORKS IN
WRITING, EXTREME NETWORKS DOES NOT EXTEND THIS
LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE
OTHER THAN EXTREME NETWORKS, AN EXTREME
NETWORKS AFFILIATE OR AN EXTREME NETWORKS CHANNEL
PARTNER; EXTREME NETWORKS RESERVES THE RIGHT TO
TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING
OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY
INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR
AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF
YOURSELF AND THE ENTITY FOR WHOM YOU ARE
INSTALLING, DOWNLOADING OR USING THE SOFTWARE
(HEREINAFTER REFERRED TO INTERCHANGEABLY AS “YOU”
AND “END USER”), AGREE TO THESE TERMS AND CONDITIONS
AND CREATE A BINDING CONTRACT BETWEEN YOU AND
EXTREME NETWORKS, INC. OR THE APPLICABLE EXTREME
NETWORKS AFFILIATE (“EXTREME NETWORKS”).
Extreme Networks grants You a license within the scope of the
license types described below. Where the order documentation does
not expressly identify a license type, the applicable license will be a
Designated System License as set forth below in the Designated
System(s) License (DS) section as applicable. The applicable
number of licenses and units of capacity for which the license is
granted will be one (1), unless a different number of licenses or units
of capacity is specified in the documentation or other materials
available to You. “Software” means computer programs in object
code, provided by Extreme Networks or an Extreme Networks
Channel Partner, whether as stand-alone products, pre-installed on
hardware products, and any upgrades, updates, patches, bug fixes,
or modified versions thereto. “Designated Processor” means a single
stand-alone computing device. “Server” means a set of Designated
Processors that hosts (physically or virtually) a software application
to be accessed by multiple users. “Instance” means a single copy of
the Software executing at a particular time: (i) on one physical
machine; or (ii) on one deployed software virtual machine (“VM”) or
similar deployment.
License type(s)
Designated System(s) License (DS). End User may install and use
each copy or an Instance of the Software only: 1) on a number of
Designated Processors up to the number indicated in the order; or 2)
up to the number of Instances of the Software as indicated in the
order, Documentation, or as authorized by Extreme Networks in
writing. Extreme Networks may require the Designated Processor(s)
to be identified in the order by type, serial number, feature key,
Instance, location or other specific designation, or to be provided by
End User to Extreme Networks through electronic means established
by Extreme Networks specifically for this purpose.
Copyright
Except where expressly stated otherwise, no use should be made of
materials on this site, the Documentation, Software, Hosted Service,
or hardware provided by Extreme Networks. All content on this site,
the documentation, Hosted Service, and the product provided by
Extreme Networks including the selection, arrangement and design
of the content is owned either by Extreme Networks or its licensors
and is protected by copyright and other intellectual property laws
including the sui generis rights relating to the protection of databases.
You may not modify, copy, reproduce, republish, upload, post,
transmit or distribute in any way any content, in whole or in part,
including any code and software unless expressly authorized by
Extreme Networks. Unauthorized reproduction, transmission,
dissemination, storage, and or use without the express written
consent of Extreme Networks can be a criminal, as well as a civil
offense under the applicable law.
Virtualization
The following applies if the product is deployed on a virtual machine.
Each product has its own ordering code and license types. Note,
unless otherwise stated, that each Instance of a product must be
separately licensed and ordered. For example, if the end user
customer or Extreme Networks Channel Partner would like to install
two Instances of the same type of products, then two products of that
type must be ordered.
Third Party Components
“Third Party Components” mean certain software programs or
portions thereof included in the Software or Hosted Service may
contain software (including open source software) distributed under
third party agreements (“Third Party Components”), which contain
terms regarding the rights to use certain portions of the Software
(“Third Party Terms”). As required, information regarding distributed
Linux OS source code (for those products that have distributed Linux
OS source code) and identifying the copyright holders of the Third
Party Components and the Third Party Terms that apply is available
in the products, Documentation or on Extreme Networks’ website
at:http://www.extremenetworks.com/support/policies/softwarelicensing or such successor site as designated by Extreme Networks.
The open source software license terms provided as Third Party
Terms are consistent with the license rights granted in these Software
License Terms, and may contain additional rights benefiting You,
such as modification and distribution of the open source software.
The Third Party Terms shall take precedence over these Software
License Terms, solely with respect to the applicable Third Party
Components to the extent that these Software License Terms impose
greater restrictions on You than the applicable Third Party Terms.
The following applies only if the H.264 (AVC) codec is distributed with
the product. THIS PRODUCT IS LICENSED UNDER THE AVC
PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A
CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE
REMUNERATION TO (i) ENCODE VIDEO IN COMPLIANCE WITH
THE AVC STANDARD (“AVC VIDEO”) AND/OR (ii) DECODE AVC
VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A
PERSONAL ACTIVITY AND/OR WAS OBTAINED FROM A VIDEO
PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS
GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE.
ADDITIONAL INFORMATION MAY BE OBTAINED FROM MPEG LA,
L.L.C. SEE HTTP://WWW.MPEGLA.COM.
Service Provider
THE FOLLOWING APPLIES TO EXTREME NETWORKS CHANNEL
PARTNER’S HOSTING OF EXTREME NETWORKS PRODUCTS
OR SERVICES. THE PRODUCT OR HOSTED SERVICE MAY USE
THIRD PARTY COMPONENTS SUBJECT TO THIRD PARTY
TERMS AND REQUIRE A SERVICE PROVIDER TO BE
INDEPENDENTLY LICENSED DIRECTLY FROM THE THIRD
PARTY SUPPLIER. AN EXTREME NETWORKS CHANNEL
PARTNER’S HOSTING OF EXTREME NETWORKS PRODUCTS
MUST BE AUTHORIZED IN WRITING BY EXTREME NETWORKS
AND IF THOSE HOSTED PRODUCTS USE OR EMBED CERTAIN
THIRD PARTY SOFTWARE, INCLUDING BUT NOT LIMITED TO
MICROSOFT SOFTWARE OR CODECS, THE EXTREME
NETWORKS CHANNEL PARTNER IS REQUIRED TO
INDEPENDENTLY OBTAIN ANY APPLICABLE LICENSE
AGREEMENTS, AT THE EXTREME NETWORKS CHANNEL
PARTNER’S EXPENSE, DIRECTLY FROM THE APPLICABLE
THIRD PARTY SUPPLIER.
WITH RESPECT TO CODECS, IF THE EXTREME NETWORKS
CHANNEL PARTNER IS HOSTING ANY PRODUCTS THAT USE
OR EMBED THE G.729 CODEC, H.264 CODEC, OR H.265
CODEC, THE EXTREME NETWORKS CHANNEL PARTNER
ACKNOWLEDGES AND AGREES THE EXTREME NETWORKS
CHANNEL PARTNER IS RESPONSIBLE FOR ANY AND ALL
RELATED FEES AND/OR ROYALTIES. THE G.729 CODEC IS
LICENSED BY SIPRO LAB TELECOM INC. SEE
WWW.SIPRO.COM/CONTACT.HTML. THE H.264 (AVC) CODEC IS
LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR
THE PERSONAL USE OF A CONSUMER OR OTHER USES IN
WHICH IT DOES NOT RECEIVE REMUNERATION TO: (I) ENCODE
VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC
VIDEO”) AND/OR (II) DECODE AVC VIDEO THAT WAS ENCODED
BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR
WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO
PROVIDE AVC VIDEO. NO LICENSE IS GRANTED OR SHALL BE
IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION
FOR H.264 (AVC) AND H.265 (HEVC) CODECS MAY BE
OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://
WWW.MPEGLA.COM.
Compliance with Laws
You acknowledge and agree that it is Your responsibility for
complying with any applicable laws and regulations, including, but not
limited to laws and regulations related to call recording, data privacy,
intellectual property, trade secret, fraud, and music performance
rights, in the country or territory where the Extreme Networks product
is used.
Preventing Toll Fraud
“Toll Fraud” is the unauthorized use of your telecommunications
system by an unauthorized party (for example, a person who is not a
corporate employee, agent, subcontractor, or is not working on your
company's behalf). Be aware that there can be a risk of Toll Fraud
associated with your system and that, if Toll Fraud occurs, it can
result in substantial additional charges for your telecommunications
services.
Security Vulnerabilities
Information about Extreme Networks’ security support policies can be
found in the Global Technical Assistance Center Knowledgebase at
https://gtacknowledge.extremenetworks.com/.
Downloading Documentation
For the most current versions of Documentation, see the Extreme
Networks Support website: http://
documentation.extremenetworks.com, or such successor site as
designated by Extreme Networks.
Contact Extreme Networks Support
See the Extreme Networks Support website:http://
www.extremenetworks.com/support for product or Hosted Service
notices and articles, or to report a problem with your Extreme
Networks product or Hosted Service. For a list of support telephone
numbers and contact addresses, go to the Extreme Networks
Support website:http://www.extremenetworks.com/support/contact/
(or such successor site as designated by Extreme Networks), scroll
to the bottom of the page, and select Contact Extreme Networks
Support.
Contact Avaya Support
See the Avaya Support website: https://support.avaya.com for
product or Hosted Service notices and articles, or to report a problem
with your Avaya product or Hosted Service. For a list of support
telephone numbers and contact addresses, go to the Avaya Support
website: https://support.avaya.com (or such successor site as
designated by Avaya), scroll to the bottom of the page, and select
Contact Avaya Support.
Trademarks
The trademarks, logos and service marks (“Marks”) displayed in this
site, the Documentation, Hosted Service(s), and product(s) provided
by Extreme Networks are the registered or unregistered Marks of
Extreme Networks, Inc., its affiliates, its licensors, its suppliers, or
other third parties. Users are not permitted to use such Marks without
prior written consent from Extreme Networks or such third party
which may own the Mark. Nothing contained in this site, the
Documentation, Hosted Service(s) and product(s) should be
construed as granting, by implication, estoppel, or otherwise, any
license or right in and to the Marks without the express written
permission of Extreme Networks or the applicable third party.
Extreme Networks is a registered trademark of Extreme Networks,
Inc.
All non-Extreme Networks trademarks are the property of their
respective owners. Linux® is the registered trademark of Linus
Torvalds in the U.S. and other countries.
For additional information on Extreme Networks trademarks, please
see: http://www.extremenetworks.com/company/legal/
Contents
Chapter 1: Preface.................................................................................................................. 12
Purpose ............................................................................................................................... 12
Training................................................................................................................................ 12
Providing Feedback to Us...................................................................................................... 13
Getting Help.......................................................................................................................... 13
Extreme Networks Documentation.......................................................................................... 14
Subscribing to service notifications......................................................................................... 14
Chapter 2: New in this document.......................................................................................... 16
Notice about feature support.................................................................................................. 20
Chapter 3: Security ................................................................................................................ 21
Security overview.................................................................................................................. 21
Security modes..................................................................................................................... 22
hsecure mode....................................................................................................................... 23
CLI passwords...................................................................................................................... 24
Port Lock feature................................................................................................................... 25
Access policies for services.................................................................................................... 25
User-based policy support...................................................................................................... 25
Denial-of-service attack prevention......................................................................................... 26
Configuration considerations.................................................................................................. 27
Interoperability configuration.................................................................................................. 28
Unicast Reverse Path Forwarding (uRPF)............................................................................... 28
Digital Certificate/PKI............................................................................................................. 29
Certificate order priority.................................................................................................... 31
Security configuration using CLI............................................................................................. 32
Enabling hsecure............................................................................................................ 32
Changing an invalid-length password................................................................................ 33
Changing passwords....................................................................................................... 34
Configuring directed broadcast......................................................................................... 37
Preventing certain types of DOS attacks........................................................................... 38
Configuring port lock........................................................................................................ 39
Unicast Reverse Path Forwarding configuration using CLI.................................................. 40
Digital certificate configuration using CLI........................................................................... 50
Security configuration using Enterprise Device Manager........................................................... 66
Enabling port lock............................................................................................................ 67
Locking a port................................................................................................................. 67
Changing passwords....................................................................................................... 68
Configuring directed broadcast on a VLAN........................................................................ 70
Unicast Reverse Path Forwarding configuration using EDM................................................ 71
Viewing ASG global configuration..................................................................................... 75
December 2017
Configuring Security on VOSS
5
Contents
Viewing active ASG accounts........................................................................................... 76
Digital certificate configuration using EDM......................................................................... 76
Chapter 4: Layer 2 security.................................................................................................... 85
Layer 2 security for IPv4 and IPv6 deployments....................................................................... 85
Dynamic ARP Inspection................................................................................................. 85
First Hop Security............................................................................................................ 86
DHCP Snooping and Neighbor Discovery inspection.......................................................... 98
IP Source Guard........................................................................................................... 100
Layer 2 security configuration using the CLI.......................................................................... 102
DHCP Snooping configuration using CLI......................................................................... 102
Dynamic ARP Inspection configuration using CLI............................................................. 109
FHS configuration.......................................................................................................... 112
DHCPv6 Guard policy configuration................................................................................ 117
RA Guard configuration................................................................................................. 122
IPv6 Neighbor Discovery inspection configuration............................................................ 128
IPv6 DHCP snooping configuration................................................................................. 132
IP Source Guard configuration ....................................................................................... 136
Layer 2 security configuration using the EDM........................................................................ 146
Dynamic ARP Inspection configuration using EDM........................................................... 147
Configuring FHS Globals............................................................................................... 148
IPv6 access list configuration......................................................................................... 149
MAC access list configuration......................................................................................... 151
DHCPv6 Guard policy configuration................................................................................ 153
RA Guard policy configuration........................................................................................ 156
Port policy mapping configuration................................................................................... 160
DHCP Snooping configuration using EDM....................................................................... 162
IP Source Guard configuration using the EDM................................................................. 168
Layer 2 security example scenarios...................................................................................... 171
FHS deployment scenario.............................................................................................. 171
Creating FHS IPv6 ACL................................................................................................. 172
Creating an FHS MAC ACL............................................................................................ 173
Creating a DHCPv6 Guard policy for the router................................................................ 173
Creating an RA Guard policy for the router...................................................................... 174
Attaching FHS policies to the interfaces.......................................................................... 175
IPv6 DHCP Snooping and ND Inspection configuration example....................................... 175
Configuring IP Source Guard.......................................................................................... 176
Chapter 5: Extensible Authentication Protocol over LAN................................................ 180
EAPOL fundamentals.......................................................................................................... 180
EAP terminology................................................................................................................. 180
EAP configuration................................................................................................................ 181
EAP system requirements.................................................................................................... 185
EAP dynamic VLAN assignment........................................................................................... 186
Traffic forwarding on EAP enabled port................................................................................. 189
December 2017
Configuring Security on VOSS
6
Contents
RADIUS-assigned VLAN...................................................................................................... 190
NEAP host.......................................................................................................................... 192
NEAP client........................................................................................................................ 194
EAP and NEAP limitations................................................................................................... 194
Multiple Host Single Authentication....................................................................................... 196
Guest VLAN........................................................................................................................ 196
EAP and NEAP separation................................................................................................... 200
EAP and NEAP VLAN names............................................................................................... 200
Fail Open VLAN.................................................................................................................. 200
EAPoL configuration using CLI............................................................................................. 201
Globally enabling EAP on the device............................................................................... 202
Configuring EAP on an interface..................................................................................... 202
Configuring EAP on a port.............................................................................................. 203
Configuring an EAP-enabled RADIUS server................................................................... 205
Configuring the switch for EAP and RADIUS................................................................... 206
Changing the authentication status of a port.................................................................... 208
Deleting an EAP-enabled RADIUS server....................................................................... 209
Configuring Fail Open VLAN.......................................................................................... 210
Displaying the current EAP-based security status............................................................. 211
Displaying the port VLAN information.............................................................................. 212
Configuring the format of the RADIUS password attribute when authenticating NEAP MAC
addresses using RADIUS............................................................................................... 213
Enabling RADIUS authentication of NEAP hosts on EAP enabled ports............................. 214
Configuring the maximum MAC clients............................................................................ 215
Configuring maximum EAP clients.................................................................................. 216
Configuring maximum NEAP clients................................................................................ 216
Configuring the Guest VLAN ID...................................................................................... 217
Clearing NEAP session.................................................................................................. 218
Configuring EAP operational mode................................................................................. 219
EAP configuration using Enterprise Device Manager.............................................................. 220
Globally configuring EAP on the server........................................................................... 220
Configuring EAP on a port.............................................................................................. 221
Showing the Port Access Entity Port table....................................................................... 224
Showing EAP Authentication.......................................................................................... 225
Viewing Multihost status information............................................................................... 226
Viewing EAP session statistics....................................................................................... 227
Viewing NEAP MAC information..................................................................................... 227
Chapter 6: IPsec.................................................................................................................... 229
IPsec fundamentals............................................................................................................. 229
Authentication header.................................................................................................... 231
Encapsulating security payload...................................................................................... 232
IPsec modes................................................................................................................. 232
Security association....................................................................................................... 233
December 2017
Configuring Security on VOSS
7
Contents
Security policy............................................................................................................... 233
IPsec limitations............................................................................................................ 234
IPsec configuration using CLI............................................................................................... 234
Creating an IPsec policy................................................................................................ 234
Enabling an IPsec policy................................................................................................ 235
Creating an IPsec security association............................................................................ 236
Configuring an IPsec security association........................................................................ 237
Configuring an IPsec policy............................................................................................ 240
Linking the IPsec security association to an IPsec policy.................................................. 242
Enabling IPsec on an interface....................................................................................... 243
Linking an IPsec policy to an interface............................................................................. 244
Enabling IPsec on a management interface..................................................................... 246
Linking an IPsec policy to a management interface.......................................................... 247
Displaying IPsec information on an interface.................................................................... 248
Displaying configured IPsec policies............................................................................... 250
Displaying IPsec security association information............................................................. 252
IPsec configuration using EDM............................................................................................. 255
Creating an IPsec policy................................................................................................ 255
Creating an IPsec security association............................................................................ 256
Linking the IPsec security association to an IPsec policy.................................................. 259
Enabling IPsec on an IPv6 interface................................................................................ 260
Enabling IPsec on an IPv4 interface................................................................................ 260
Linking an IPsec policy to an interface............................................................................. 261
Displaying IPsec interface statistics................................................................................ 262
Displaying switch level statistics for IPsec-enabled interfaces........................................... 265
Configuring IPsec for the OSPF virtual link...................................................................... 267
IPsec configuration examples............................................................................................... 269
IPsec configuration example.......................................................................................... 269
IPsec with ICMPv6 configuration example....................................................................... 270
OSPFv3 IPsec configuration example............................................................................. 272
OSPFv3 virtual link IPsec configuration example.............................................................. 278
IPsec configuration of TCP............................................................................................. 282
Chapter 7: MACsec............................................................................................................... 285
MACsec fundamentals......................................................................................................... 285
MACsec keys................................................................................................................ 286
MACsec security modes................................................................................................ 287
Connectivity associations and secure channels................................................................ 288
MACsec 2AN and 4AN mode......................................................................................... 288
MACsec components..................................................................................................... 288
MACsec operation......................................................................................................... 291
MACsec performance.................................................................................................... 292
MACsec configuration using CLI........................................................................................... 292
Configuring a connectivity association............................................................................. 292
December 2017
Configuring Security on VOSS
8
Contents
Updating the connectivity association key (CAK).............................................................. 294
Configuring MACsec encryption on a port........................................................................ 296
Configuring the confidentiality offset on a port.................................................................. 296
Viewing the MACsec connectivity association details........................................................ 298
Viewing MACsec status................................................................................................. 299
MACsec configuration using EDM......................................................................................... 301
Configuring connectivity associations.............................................................................. 301
Associating a port with a connectivity association............................................................. 302
Chapter 8: RADIUS............................................................................................................... 304
RADIUS fundamentals......................................................................................................... 304
RADIUS configuration using CLI........................................................................................... 309
Configuring RADIUS attributes....................................................................................... 309
Configuring RADIUS profile............................................................................................ 312
Enabling RADIUS authentication.................................................................................... 313
Enabling the source IP flag for the RADIUS server........................................................... 313
Enabling RADIUS accounting......................................................................................... 314
Enabling RADIUS-SNMP accounting.............................................................................. 315
Configuring RADIUS accounting interim request.............................................................. 316
Configuring RADIUS authentication and RADIUS accounting attributes............................. 317
Adding a RADIUS server............................................................................................... 320
Modifying RADIUS server settings.................................................................................. 322
Showing RADIUS information......................................................................................... 323
Displaying RADIUS server information............................................................................ 324
Configuring RADIUS server reachability.......................................................................... 324
Displaying RADIUS server reachability............................................................................ 325
Showing RADIUS SNMP configurations.......................................................................... 326
RADIUS configuration using Enterprise Device Manager........................................................ 326
Enabling RADIUS authentication.................................................................................... 327
Enabling RADIUS accounting......................................................................................... 329
Disabling RADIUS accounting........................................................................................ 330
Enabling RADIUS accounting interim request.................................................................. 331
Configuring the source IP option for the RADIUS server................................................... 332
Adding a RADIUS server............................................................................................... 334
Reauthenticating the RADIUS SNMP server session........................................................ 336
Configuring RADIUS SNMP........................................................................................... 337
Modifying a RADIUS configuration.................................................................................. 338
Deleting a RADIUS configuration.................................................................................... 339
Configuring RADIUS server reachability.......................................................................... 339
Chapter 9: Secure AAA server communication................................................................. 342
IKE configuration for Secure AAA server using CLI................................................................ 347
Configuring an IKE Phase 1 profile................................................................................. 347
Creating an IKE Phase 1 policy...................................................................................... 348
Configuring profile to be used for IKE Phase 1 policy....................................................... 349
December 2017
Configuring Security on VOSS
9
Contents
Configuring IKE Phase 2 perfect forward secrecy....................................................... 350
Configuring the IKE authentication method...................................................................... 350
Configuring dead-peer detection timeout......................................................................... 352
Enabling the admin state of IKE Phase 1 policy............................................................... 352
Displaying IKE profiles................................................................................................... 353
Displaying IKE policies................................................................................................... 354
Displaying IKE security association................................................................................. 356
Configuring an IKEv2 profile........................................................................................... 359
Displaying IKEv2 profiles............................................................................................... 360
IKE configuration for Secure AAA server............................................................................... 362
Configuring IKE Phase 1 profile...................................................................................... 362
Configuring IKEv2 profile............................................................................................... 363
Configuring IKE Phase 1 policy...................................................................................... 364
Displaying IKE Phase 1 security association.................................................................... 366
Displaying IKE V2 security association............................................................................ 367
Chapter 10: Simple Network Management Protocol (SNMP)............................................ 369
SNMPv3............................................................................................................................. 369
SNMP community strings..................................................................................................... 374
SNMPv3 support for VRF..................................................................................................... 376
SNMP configuration using CLI.............................................................................................. 376
Configuring SNMP settings............................................................................................ 377
Creating a user............................................................................................................. 380
Creating a new user group............................................................................................. 382
Creating a new entry for the MIB in the view table............................................................ 383
Creating a community.................................................................................................... 384
Adding a user to a group................................................................................................ 385
Blocking SNMP............................................................................................................. 386
Displaying SNMP system information.............................................................................. 387
SNMP configuration using Enterprise Device Manager........................................................... 388
Creating a user............................................................................................................. 389
Creating a new group membership................................................................................. 390
Creating access for a group........................................................................................... 391
Creating access policies for SNMP groups...................................................................... 392
Assigning MIB view access for an object......................................................................... 393
Creating a community.................................................................................................... 394
Viewing all contexts for an SNMP entity.......................................................................... 395
Chapter 11: TACACS+........................................................................................................... 396
TACACS+ fundamentals...................................................................................................... 396
TACACS+ Operation..................................................................................................... 397
TACACS+ Architecture.................................................................................................. 398
Authentication, authorization, and accounting............................................................ 398
Privilege level changes at runtime................................................................................... 402
TACACS+ and RADIUS differences................................................................................ 406
December 2017
Configuring Security on VOSS
10
Contents
TACACS+ feature limitations.......................................................................................... 407
TACACS+ configuration using CLI........................................................................................ 408
Enabling TACACS+....................................................................................................... 408
Adding a TACACS+ server............................................................................................. 408
Configuring TACACS+ authentication.............................................................................. 414
Configuring TACACS+ accounting.................................................................................. 415
Configuring command authorization with TACACS+......................................................... 416
Changing privilege levels at runtime................................................................................ 418
TACACS+ configuration using EDM................................................................................... 419
Configuring TACACS+ globally....................................................................................... 419
Adding a TACACS+ server............................................................................................. 422
Modifying a TACACS+ configuration............................................................................... 424
TACACS+ configuration examples........................................................................................ 425
TACACS+ configuration on the switch............................................................................. 425
Identity Engines Ignition Server TACACS+ configuration example..................................... 426
Glossary................................................................................................................................. 431
December 2017
Configuring Security on VOSS
11
Chapter 1: Preface
Purpose
This document provides information on features in VSP Operating System Software (VOSS).
VOSS runs on the following product families:
• Virtual Services Platform 4000 Series
• Virtual Services Platform 7200 Series
• Virtual Services Platform 8000 Series (includes VSP 8200 and VSP 8400 Series)
• Virtual Services Platform 8600
This security documentation provides conceptual information and procedures that you can use to
administer and configure the security features for the VOSS switches.
The security function includes tasks related to product security such as the management and
protection of resources from unauthorized or detrimental access and use. This document includes
information that supports the configuration and ongoing management of the following:
• communications
• data security
• user security
• access
Examples and network illustrations in this document may illustrate only one of the supported
platforms. Unless otherwise noted, the concept illustrated applies to all supported platforms.
Training
Ongoing product training is available. For more information or to register, you can access the Web
site at www.extremenetworks.com/education/.
December 2017
Configuring Security on VOSS
12
Providing Feedback to Us
Providing Feedback to Us
We are always striving to improve our documentation and help you work better, so we want to
hear from you! We welcome all feedback but especially want to know about:
• Content errors or confusing or conflicting information.
• Ideas for improvements to our documentation so you can find the information you need
faster.
• Broken links or usability issues.
If you would like to provide feedback to the Extreme Networks Information Development team
about this document, please contact us using our short online feedback form. You can also email
us directly at internalinfodev@extremenetworks.com
Getting Help
Product purchased from Extreme Networks
If you purchased your product from Extreme Networks, use the following support contact
information to get help.
If you require assistance, contact Extreme Networks using one of the following methods:
• GTAC (Global Technical Assistance Center) for Immediate Support
- Phone: 1-800-998-2408 (toll-free in U.S. and Canada) or +1 408-579-2826. For the
support phone number in your country, visit: www.extremenetworks.com/support/contact
- Email: support@extremenetworks.com. To expedite your message, enter the product
name or model number in the subject line.
• GTAC Knowledge – Get on-demand and tested resolutions from the GTAC Knowledgebase,
or create a help case if you need more guidance.
• The Hub – A forum for Extreme customers to connect with one another, get questions
answered, share ideas and feedback, and get problems solved. This community is monitored
by Extreme Networks employees, but is not intended to replace specific guidance from
GTAC.
• Support Portal – Manage cases, downloads, service contracts, product licensing, and training
and certifications.
Before contacting Extreme Networks for technical support, have the following information ready:
• Your Extreme Networks service contract number and/or serial numbers for all involved
Extreme Networks products
• A description of the failure
• A description of any action(s) already taken to resolve the problem
• A description of your network environment (such as layout, cable type, other relevant
environmental information)
December 2017
Configuring Security on VOSS
13
Preface
• Network load at the time of trouble (if known)
• The device history (for example, if you have returned the device before, or if this is a
recurring problem)
• Any related RMA (Return Material Authorization) numbers
Product purchased from Avaya
If you purchased your product from Avaya, use the following support contact information to get
help.
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date
documentation, product notices, and knowledge articles. You can also search for release notes,
downloads, and resolutions to issues. Use the online service request system to create a service
request. Chat with live agents to get answers to questions, or request an agent to connect you to a
support team if an issue requires additional expertise.
Extreme Networks Documentation
To find Extreme Networks product guides, visit our documentation pages at:
Current Product Documentation
www.extremenetworks.com/documentation/
Archived Documentation (for previous
www.extremenetworks.com/support/documentationarchives/
versions and legacy products)
Release Notes
www.extremenetworks.com/support/release-notes
Open Source Declarations
Some software files have been licensed under certain open source licenses. More information is
available at: www.extremenetworks.com/support/policies/software-licensing.
Subscribing to service notifications
Subscribe to receive an email notification for product and software release announcements,
Vulnerability Notices, and Service Notifications.
About this task
You can modify your product selections at any time.
Procedure
1. In an Internet browser, go to http://www.extremenetworks.com/support/service-notificationform/ .
2. Type your first and last name.
3. Type the name of your company.
December 2017
Configuring Security on VOSS
14
Subscribing to service notifications
4. Type your email address.
5. Type your job title.
6. Select the industry in which your company operates.
7. Confirm your geographic information is correct.
8. Select the products for which you would like to receive notifications.
9. Click Submit.
December 2017
Configuring Security on VOSS
15
Chapter 2: New in this document
The following sections detail what is new in Configuring Security since issue 09.01.
DHCP Snooping
DHCP Snooping is a Layer 2 security feature that provides network security by filtering untrusted
DHCP messages, and it also builds and maintains a DHCP binding table.
For more information, see:
• DHCP Snooping and Neighbor Discovery inspection on page 98
• DHCP Snooping configuration using CLI on page 102
• DHCP Snooping configuration using EDM on page 162
Digital Certificate/PKI
This switch software implements the digital certificate framework that provides Public Key
Infrastructure (PKI) support to allow digital certificate validation.
For more information, see:
• Digital Certificate/PKI on page 29
• Certificate order priority on page 31
• Digital certificate configuration using CLI on page 50
• Digital certificate configuration using EDM on page 76
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in the network.
Without DAI, a malicious user can attack hosts, switches, and routers connected to the Layer 2
network by poisoning the ARP caches of systems connected to the subnet, and intercepting traffic
intended for other hosts on the subnet. DAI prevents these attacks by intercepting, logging, and
discarding the ARP packets with invalid IP to MAC address bindings.
For more information, see:
• Dynamic ARP Inspection on page 85
• Dynamic ARP Inspection configuration using CLI on page 109
• Dynamic ARP Inspection configuration using EDM on page 147
EAPoL enhancements
The following EAPoL (EAP) enhancements are supported:
EAP and NEAP max clients on port:
This enhancement limits the total number of EAP and NEAP clients per port.
December 2017
Configuring Security on VOSS
16
For more information, see:
• EAP and NEAP limitations on page 194
• Configuring maximum NEAP clients on page 216
• Configuring maximum EAP clients on page 216
• Configuring EAP on a port on page 221
• Showing the Port Access Entity Port table on page 224
EAP and NEAP separation:
This enhancement gives you the ability to disable EAP clients authentication without disabling NEAP
clients. There are no additional configuration commands.
For more information, see:
• EAP and NEAP separation on page 200
EAP and NEAP VLAN names:
VLAN names configures VLAN membership of EAP and NEAP clients. You do not have to configure
this feature as this mode is always enabled by default.
For more information, see:
• EAP and NEAP VLAN names on page 200
Enhanced MHMV:
Use enhanced MHMV to assign multiple authenticated devices to different VLANs on the same port.
Clients can access different VLANs using the MAC address of the devices. Different clients with
different level of access in different VLANs can exist on the same port.
For more information, see:
• EAP dynamic VLAN assignment on page 186
• Displaying the port VLAN information on page 212
Fail Open VLAN:
Fail Open VLAN provides network connectivity when the RADIUS Server is unreachable. If RADIUS
Server is known as unreachable, new connected clients will access Fail Open VLAN. Already
authenticated clients will continue to access their RADIUS Assigned VLANs.
For more information, see:
• Fail Open VLAN on page 200
• Displaying the current EAP-based security status on page 211
• Configuring Fail Open VLAN on page 210
• Configuring EAP on a port on page 221
• Showing the Port Access Entity Port table on page 224
Guest VLAN:
Guest VLAN support provides limited network access until the client is authenticated. Guest VLAN is
configured irrespective of the number of authenticated clients present on the port. Guest VLAN is
available for each port. Only port based VLANs are used as Guest VLANs. When the Guest VLAN
December 2017
Configuring Security on VOSS
17
New in this document
feature is configured, port is added to the Guest VLAN and port default VLAN ID changes to Guest
VLAN ID.
For more information, see:
• Guest VLAN on page 196
• Configuring the Guest VLAN ID on page 217
• Configuring EAP on a port on page 221
• Showing the Port Access Entity Port table on page 224
Multiple Host Single Authentication:
Multiple Host Single Authentication (MHSA) allows MACs to access the network without EAP and
NEAP authentication. Unauthenticated devices can access the network only after an EAP or NEAP
client is successfully authenticated on a port. The VLAN to which the devices are allowed is the
client authenticated VLAN. Unless Guest VLAN is configured and there is no authenticated client on
the port there will be no MAC allowed to access the network.
For more information, see:
• Multiple Host Single Authentication on page 196
• Configuring EAP operational mode on page 219
RADIUS server reachability:
RADIUS server reachability runs a periodic check in the background to identify the available
servers. The switch is aware of the first available EAP RADIUS server without going through each of
the servers and wait for time-outs.
For more information, see:
• RADIUS fundamentals on page 304
• Configuring RADIUS server reachability on page 324
• Displaying RADIUS server reachability on page 325
• Configuring RADIUS server reachability on page 339
RFC 3580 RADIUS attributes: IEEE 802.1X Remote Authentication Dial In User Service:
There is added support for the following RADIUS attributes, described by RFC 3580:
• Called-Station ID
• Calling-Station ID
• NAS-Port ID
Attributes support both EAP and NEAP clients.
For more information, see:
• RADIUS fundamentals on page 304
RFC 4675 RADIUS attributes: Egress VLAN:
There is added support for the following RADIUS attributes, described by RFC 4675:
• Egress-VLAN ID
December 2017
Configuring Security on VOSS
18
• Egress-VLAN name
For more information, see:
• RADIUS fundamentals on page 304
IP Source Guard
IP Source Guard (IPSG) is a Layer 2 port-to-port feature that provides security to the network by
filtering clients with invalid IP addresses. For more information, see IP Source Guard on page 100.
For more information on configuring IPSG, see:
• IP Source Guard configuration on page 136
• IP Source Guard configuration using the EDM on page 168
Modifications to the Layer 2 security chapter
The chapter on Layer 2 security has been modified to improve the accessibility of IPv4 and IPv6
Layer 2 security features.
Secure AAA server communication
This switch software implements the Secure AAA server communication feature. AAA refers to
Authentication, Authorization, and Accounting. This feature deploys Internet Protocol Security
(IPsec) to provide per-packet confidentiality, authentication, integrity, and replay protection to the
AAA server communication, including the security protocols, the Remote Access Dial-in User
Services (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+).
The Internet Key Exchange (IKE) protocol is used for key management.
This feature provides the following enhancements to the security implementation:
• RADIUS secure communication using IPSec for IPv4
• RADIUS secure communication using IPSec for IPv6
• TACACS+ secure communication using IPSec for IPv4
• IPsec support for IPv4 protocol and configuring a Circuitless IP (CLIP) address on a loopback
interface.
• Automatic configuration of shared key using IKE protocol for both IPv4 and IPv6.
• IKE support for two types of authentication methods for the IKE session establishment:
- Pre-shared-key
- Digital signature (digital certificate signed by trusted Certificate Authority (CA)
IPsec information is updated in the document. If you downgrade your software, the current IPsec
configurations are no longer supported. You must boot with the factory default settings for IPsec,
and then reconfigure the IPsec features.
For more information, see:
• Secure AAA server communication on page 342
• IPsec fundamentals on page 229
• IPsec configuration using CLI on page 234
• IPsec configuration using EDM on page 255
December 2017
Configuring Security on VOSS
19
New in this document
Notice about feature support
This document includes content for multiple hardware platforms across different software
releases. As a result, the content can include features not supported by your hardware in the
current software release.
If a documented command, parameter, tab, or field does not appear on your hardware, it is not
supported.
For information about feature support, see Release Notes.
For information about physical hardware restrictions, see your hardware documentation.
December 2017
Configuring Security on VOSS
20
Chapter 3: Security
This section provides conceptual content to help you configure and customize the security services
on the switch.
Security overview
Security is a critical attribute of networking devices. Security features are split into two main areas:
• Control path—protects the access to the device from a management perspective.
• Data path—protects the network from malicious users by controlling access authorization to
the network resources (such as servers and stations). This protection is primarily
accomplished by using filters or access lists.
You can protect the control path using the following mechanism:
• logon and passwords
• access policies to specify the network and address that can use a service or daemon
• secure protocols, such as Secure Shell (SSH), Secure Copy (SCP), and the Simple Network
Management Protocol version 3 (SNMPv3)
• the Message Digest 5 Algorithm (MD5) to protect routing updates, Open Shortest Path First
(OSPF), and Border Gateway Protocol (BGP)
You can protect the data path using the following mechanism
• Media Access Control (MAC) address filtering
• Layer 3 filtering, such as Internet Protocol (IP) and User Datagram Protocol (UDP)/
Transmission Control Protocol (TCP) filtering
• routing policies to prevent users from accessing restricted areas of the network
• mechanisms to prevent denial-of-service (DOS) attacks
December 2017
Configuring Security on VOSS
21
Security
Security modes
The switch support three security modes:
• Enhanced secure
• Hsecure
• SSH secure
Enable SSH secure mode to allow only SSH to be used and disable all other protocols which
include Telnet, rlogin, FTP, SNMP, TFTP, HTTP, and HTTPS. Enabling this mode disables Telnet,
rlogin, FTP, SNMP, TFTP, HTTP, and HTTPS by setting the boot flags for these protocols to off.
You can over-ride the configuration and enable required protocols individually for run-time use.
The administrator must enable required protocols individually for run-time use again following a
reboot even if you save the configuration. This is because the SSH secure mode enable takes
precedence at the time of reboot and the other protocols will be disabled even though the
configuration file has them set to enabled.
Note:
Disabling SSH secure mode will not automatically enable the OA&M protocols that were
disabled. The boot flags for the required protocols will have to be individually set to enabled.
The following table lists the differences between enhanced secure mode and hsecure mode.
Table 1: Enhanced secure mode versus hsecure mode
Feature
Enhanced secure
Hsecure
Authentication
Role-based:
Access-level based:
• admin
• rwa
• privilege
• rw
• operator
• ro
• security
• l3
• auditor
• l2
• l1
Password length
Minimum of 8 characters with the
exception of the Admin, which
requires a minimum of 15
characters
10 characters, minimum
Password rules
1 or 2 upper case, lower case,
numeric and special characters
Minimum of 2 upper case, 2 lower
case, 2 numeric and 2 special
characters
Password expiration
Per-user minimum change
interval is enforced, which is
programmed by the Administrator
Global expiration, configured by
the Admin
Table continues…
December 2017
Configuring Security on VOSS
22
hsecure mode
Feature
Enhanced secure
Hsecure
Password-unique
Previous passwords and
common passwords between
users are prevented
The same
Password renewal
Automatic password renewal is
enforced
The same
Audit logs
Audit logs are encrypted, and
authorized users are able to view,
modify, and delete.
Standard operation
SNMPv3
Password rules apply to SNMPv3
Auth&Priv. SNMPv3 is required
(V1/V2 disabled)
SNMPv1 and SNMPv2 can be
enabled.
EDM
Site Admin to enable or disable
Disabled
Telnet and FTP
Site Admin to enable or disable
The same
DOS attack Prevention
Not available
Prevents DOS attacks by filtering
IP addresses and IP address
ranges.
For information on Enhanced secure mode and SSH, see Administering.
hsecure mode
The switch supports a flag called high secure (hsecure). hsecure introduces the following
behaviors for passwords:
• 10-character enforcement
• aging time
• limitation of failed logon attempts
• protection mechanism to filter certain IP addresses
After you enable the hsecure flag, the software enforces the 10-character rule for all passwords.
This password must contain a minimum of two uppercase characters, two lowercase characters,
two numbers, and two special characters.
After you enable hsecure, the system requires you to save the configuration file and reboot the
system for hsecure to take effect. If the existing password does not meet the minimum
requirements for hsecure, the system prompts you to change the password during the first login.
The default username is rwa and the default password is rwa. In hsecure, the system prompts you
to change these during first login because they do not meet the minimum requirements for
hsecure.
When you enable hsecure, the system disables Simple Network Management Protocol (SNMP)
v1, SNMPv2 and SNMPv3. If you want to use SNMP, you must re-enable SNMP, using the
command no boot config flag block-snmp.
December 2017
Configuring Security on VOSS
23
Security
Aging enforcement
After you enable the hsecure flag, you can configure a duration after which you must change your
password. You configure the duration by using the aging parameter.
For SNMP and File Transfer Protocol (FTP), after a password expires, access is denied. Before
you access the system, you must change a community string to a new string consisting of more
than eight characters.
Important:
Consider the following after you enable the hsecure flag:
• You cannot enable the Web server for Enterprise Device Manager (EDM) access.
• You cannot enable the Secure Shell (SSH) password authentication.
For more information, see Administering.
Filtering mechanism
Incorrect IP source addresses as network or broadcast addresses are filtered at the virtual router
interface. Source addresses 192.168.168.0 and 192.168.168.255 are discarded.
This change is valid for all IP subnets, not only for /24.
You can filter addresses only if you enable the hsecure mode.
CLI passwords
The switch ships with default passwords assigned for access to Command Line Interface (CLI)
through a console or management session. If you have read/write/all access authority, and you
are using SNMPv3, you can change passwords that are in an encrypted format. If you are using
Enterprise Device Manager (EDM), you can also specify the number of available Telnet sessions
and rlogin sessions.
Important:
The default passwords are documented and well known. Change the default passwords and
community strings immediately after you first log on.
If you enable enhanced secure mode with the boot config flags enhancedsecure-mode
command, you enable different access levels, along with stronger password complexity, length,
and minimum change intervals. For more information on system access fundamentals and
configuration, see Administering.
December 2017
Configuring Security on VOSS
24
Port Lock feature
Port Lock feature
You can use the Port Lock feature to administratively lock a port or ports to prevent other users
from changing port parameters or modifying port action. You cannot modify locked ports until the
ports are first unlocked.
Access policies for services
You can control access to the switch by creating an access policy. An access policy specifies the
hosts or networks that can access the device through various services, such as Telnet, SNMP,
Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), Hypertext Transfer Protocol
(HTTP), Remote Shell (RSH), and remote login (rlogin). You can enable or disable access
services by setting flags from CLI.
You can define network stations that can explicitly access the switch or stations that cannot
access it. For each service you can also specify the level of access, such as read-only or readwrite-all.
Important:
A third-party security scan shows the switch service ports open and in the listen state. No
connections are accepted on these ports unless you enable the particular daemon. The switch
does not dynamically start and stop the daemons at runtime and needs to keep them running
from system startup.
For more information about configuring access policies, see Administering.
User-based policy support
You can set up a user-based policy (UBP) system by using Enterprise Policy Manager (EPM), a
RADIUS server.
EPM is an application designed to manage the traffic prioritization and network access security for
business applications. It provides centralized control of advanced packet classification and the
ability to priority mark, police, meter, or block traffic.
EPM 5.0 supports UBPs, which allow security administrators to establish and enforce roles and
conditions for each user for all access ports in the network. The UBP feature in EPM works in
conjunction with Extensible Access Protocol (EAP) technology to enhance the security of the
network. Users log on to the networks and are authenticated as the network connection is
established.
The UBP feature works as an extension to the Roles feature in EPM. In a UBP environment, role
objects are linked directly to specific users (as RADIUS attributes), as opposed to being linked
December 2017
Configuring Security on VOSS
25
Security
simply to device interfaces. The role object then links the usersOh, Ito specific policies that control
the user's access to the network.
When the RADIUS server successfully authenticates a user, the device sends an EAP session
start event to the EPM policy server. The policy server then sends user-based policy configuration
information for the new user roles to the interface, based on the role attribute that was assigned to
that user on the RADIUS server.
Denial-of-service attack prevention
Hsecure
The switch supports a configurable flag, called high secure (hsecure). High secure mode
introduces a protection mechanism to filter certain IP addresses, and two restrictions on
passwords: 10-character enforcement and aging time.
If the device starts in hsecure mode with default factory settings, and no previously configured
password, the system will prompt you to change the password. The new password must follow the
rules mandated by high secure mode. After you enable hsecure and restart the system, if you
have an invalid-length password you must change the password.
If you enable hsecure for the first time and the password file does not exist, then the device
creates a normal default username (rwa) and password (rwa). In this case, the password does not
meet the minimum requirements for hsecure and as a result the system prompts you to change
the password.
The following information describes hsecure mode operations:
• When you enable the hsecure flag, after a certain duration you are asked to change your
password. If not configured, the aging parameter defaults to 90 days.
• For SNMP and FTP, access is denied when a password expires. You must change the
community strings to a new string made up of more than eight characters before accessing
the system.
• You cannot enable the Web server at any time.
• You cannot enable the SSH password-authentication feature at any time.
Hsecure is disabled by default. When you enable hsecure, the desired behavior applies to all
ports.
For more information, see Preventing certain types of DOS attacks on page 38.
Prioritization of control traffic
The switch uses a sophisticated prioritization scheme to schedule control packets on physical
ports. This scheme involves two levels with both hardware and software queues to guarantee
proper handling of control packets regardless of the switch load. In turn, this scheme guarantees
the stability of the network. Prioritization also guarantees that applications that use many
broadcasts are handled with lower priority.
You cannot view, configure, or modify control-traffic queues.
December 2017
Configuring Security on VOSS
26
Configuration considerations
Directed broadcast suppression
You can enable or disable forwarding for directed broadcast traffic on an IP-interface basis. A
directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet. By
disabling or suppressing directed broadcasts on an interface, you cause all frames sent to the
subnet broadcast address for a local router interface to be dropped. Directed broadcast
suppression protects hosts from possible DoS attacks.
To prevent the flooding of other networks with DoS attacks, such as the Smurf attack, the switch is
protected by directed broadcast suppression. This feature is enabled by default. It is
recommended not disable it.
For more information, see Configuring directed broadcast on page 37.
ARP request threshold recommendations
The Address Resolution Protocol (ARP) request threshold defines the maximum number of
outstanding unresolved ARP requests. The default value for this function is 500 ARP requests. To
avoid excessive amounts of subnet scanning that a virus can cause, It is recommended that you
change the ARP request threshold to a value between 100 and 50. This configuration protects the
CPU from causing excessive ARP requests, protects the network, and lessens the spread of the
virus to other PCs. The following list provides further recommended ARP threshold values:
• Default: 500
• Severe conditions: 50
• Continuous scanning conditions: 100
• Moderate: 200
• Relaxed: 500
For more information about how to configure the ARP threshold, see Configuring IPv4 Routing.
Multicast Learning Limitation
The Multicast Learning Limitation feature protects the CPU from multicast data packet bursts
generated by malicious applications. If more than a certain number of multicast streams enter the
CPU through a port during a sampling interval, the port is shut down until the user or administrator
takes the appropriate action.
For more information, see Configuring IP Multicast Routing Protocols.
Configuration considerations
Use the information in this section to understand the limitations of some security functions such as
BSAC RADIUS servers and Layer 2 protocols before you attempt to configure security.
Single profile enhancement for BSAC RADIUS servers
Before enabling Remote Access Dial-In User Services (RADIUS) accounting on the device, you
must configure at least one RADIUS server.
The switch software supports Microsoft Radius Servers (NPS Windows 2008, Windows 2003 IAS
Server), BaySecure Access Control (BSAC), Merit Network servers and Linux based servers. To
December 2017
Configuring Security on VOSS
27
Security
use these servers, you must first obtain the software for the server. You must also make changes
to one or more configuration files for these servers.
Single Profile is a feature that is specific to BSAC RADIUS servers. In a BSAC RADIUS server,
when you create a client profile, you can specify all the returnable attributes. When you use the
same profile for different products (Virtual Services Platform 8000 Series and Baystack 450, for
example) you specify all the returnable attributes in the single profile.
Attribute format for a third-party RADIUS server
If you use a third-party RADIUS server and need to modify the dictionary files, you must add a
vendor-specific attribute (attribute #26) and use 1584 as vendor code for all the devices and then
send back access-priority vendor-assigned attribute number 192 with a decimal value of 1 to 6,
depending upon whether you want read only to read-write-all.
RADIUS on management ports
The management port supports the RADIUS protocol. When RADIUS packets are sent out of the
management port, the SRC-IP address is properly entered in the RADIUS header.
For more information about the supported RADIUS servers, see the documentation of the
RADIUS server.
SNMP cloned user considerations
If the user from which you are cloning has authentication, you can choose for the new user to
either have the same authentication protocol as the user from which it was cloned, or no
authentication. If you choose authentication for the new user, you must provide a password for
that user. If you want a new user to have authentication, you must indicate that at the time you
create the new user. You can assign a privacy protocol only to a user that has authentication.
If the user from which you are cloning has no authentication, then the new user has no
authentication.
Interoperability configuration
The switch is compatible with RADIUS servers.
Unicast Reverse Path Forwarding (uRPF)
The Unicast Reverse Path Forwarding (uRPF) feature prevents packet forwarding for incoming
unicast IP packets that have incorrect or forged (spoofed) IP addresses. The uRPF feature checks
that the traffic received on an interface comes from a valid IP address, thereby preventing address
spoofing. On a reverse path check, if the source IP address of the received packet at the interface
is not reacheable using the FIB, the system drops the packet as the packet may have originated
from a misconfigured or a malicious source.
December 2017
Configuring Security on VOSS
28
Digital Certificate/PKI
You can configure uRPF for each IP interface or VLAN. When uRPF is enabled on an interface,
the switch checks all routing packets that come through that interface. It ensures that the source
address and source interface appear in the routing table, and that it matches the interface, on
which the packet was received.
You can use one of two modes for uRPF:
• Strict mode: In strict mode, uRPF checks whether the source IP address of the incoming
packet exists in the FIB. If the incoming interface is not the best reverse path, the packet
check fails and uRPF drops the packet. If the routing engine finds the source IP entry, uRPF
further checks if the source IP interface matches the incoming interface of the packet. If they
match, the system forwards the packet as usual, otherwise, the system discards the packet.
Note:
The number of packets dropped due to uRPF check on the ingress interface gets
incremented along with other general dropped statistics under the IN-DISCARD column
in the output of the command show interfaces gigabitEthernet error
<collision|verbose> {slot/port[-slot/port][,...]}.
• Loose mode: In loose mode, uRPF checks whether the source IP address of the incoming
packet exists in the FIB. The packet is dropped only if the source address is not reachable
via any interface on that router.
uRPF can be enabled independently for IPv4 and IPv6. However, on a given interface, if uRPF is
enabled for both IPv4 and IPv6, the urpf-mode can be either strict-mode or loose-mode for both
IPv4 and IPv6. That means we cannot have IPv4 urpf-mode configured differently than that of
IPv6.
Note:
uRPF check cannot detect spoofed source IP address if the source IP address belongs to a
known subnet.
Digital Certificate/PKI
This section provides information on the digital certificate framework and offline certificate
management.
A digital certificate is an electronic document that identifies subject, proves the ownership of public
key, and is digitally signed by a certification authority (CA) that certifies the validity of the
information in the certificate. A digital certificate is valid for only a specific period of time.
Public Key Infrastructure (PKI) support assists the switches to obtain and use digital certificates for
secure communication in the network.
To be certified, a switch performs the following tasks:
• Generate certificate signing request
• Verify that a present certificate has not been revoked
December 2017
Configuring Security on VOSS
29
Security
• Validate the certificate
• Renew the certificate before it expires
• Remove the certificate if required
Subject
An administrator configures the subject parameters such as common name, organization name,
organization unit, locality, state and country for requesting the identity certificate.
Challenge password
A password is required for Simple Certificate Enrollment Protocol (SCEP) operations like the
enrollment and renewal of identity certificate. This password is given offline by the CA during end
entity registration. The administrator provides this password during enroll and renew operations.
UsePost
There are different types of CAs like EJBCA, Win2012, and others. The usePost parameter allows
you to choose the style of HTTP request. The value for usePost parameter can be set True or
False.
For example, if Win2012 SCEP does not support POST mode of HTTP request, set the usePost
as False for Win2012 and set usePost as True for EJBCA.
Root CA certificate
The Root CA certificate obtained offline from CA must be installed for SCEP operations. This Root
CA certificate is transferred to the device during the installation. The system does not allow any
SCEP operations if the offline Root CA certificate is not installed and error messages are logged.
Key generation
The supported key type is RSA with RSA key of size 2048. At a time, there is only one active keypair associated with trustpoint CA and digital certificate. The system does not allow generating a
new key-pair if there is a key-pair already associated with the active digital certificate. The system
logs the error message if such new key generation is attempted. In such case the certificate must
be revoked first before a new key-pair is generated.
TrustPoint CA setup
Trustpoints let us manage and track CAs and certificates. A trustpoint is a representation of a CA
or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters,
and an association with one generated key. The switch can enroll with a trust point to obtain an
identity certificate. Trustpoint is set up once RSA key pair is generated and the CA identity and
other configuration parameters are available. The CA name to configure a trustpoint should be
unique.
Certificate enrollment
Certificate enrolment involves generating certificate signing request (CSR). Before certificate
enrolment, trustpoint CA must be configured and the user configuration parameters should be
available. The key usage extension parameter is required as an input. It indicates the purpose of
the key contained in the certificate, that the key can be used for encipherment, digital signature,
certificate signing and so on.
The certificate enrollment is not allowed if there is an active certificate already available. If new
certificate enrollment is required, the existing active certificate must be revoked first. The system
logs the enrollment success or failure responses.
December 2017
Configuring Security on VOSS
30
Digital Certificate/PKI
Certificate renewal
The certificate renewal must be done by the administrator before it expires. A trap is set for a predefined period before expiry date of the certificate and the certificate renewal due warning
message is logged by the system. The system does not allow certificate renewal request if an
active certificate is not available. The system replaces the existing certificate with the newly
obtained certificate on successful renewal. The system logs the renewal success or failure
responses.
Certificate revocation or removal
The certificate can be revoked or withdrawn from the specific device for a specific reason at any
point of time. The system does not allow certificate revocation request if an active certificate is not
available. The system releases the existing certificate on successful revocation. The system logs
the revocation success or failure responses.
During boot up, the system checks whether an active installed certificate is available. If a valid
certificate is not available the system logs the warning message.
Offline certificate management
Offline certificate management supports the switches that cannot communicate with the Certificate
Authority to obtain the identity certificate online by certificate enrollment operation.
Configure the subject and RSA key-pair to obtain the offline identity certificate. The configured
subject parameters and RSA key are used to generate the Certificate Signing Request (CSR).
This CSR is used to obtain the offline identity certificate.
The Root CA certificate and all the intermediate CA certificates of certificate chain must be
installed in the device before installing the offline identity or device certificate. All the intermediate
and Root CA certificates are stored in certificate store and are used for CA certificate chain
validation. The CA certificate chain validation is performed starting from the issuing CA certificate
till the Root CA certificate during the install operation of offline identity certificate. The offline
identity certificate is installed only if the CA certificate chain validation, subject and key match.
Storage
The system stores all of the configurations of the digital certificate module in /intflash/.cert
in a file named cert.info.cfg. After a reboot, the system loads the configurations directly from this
file. As a result, no digital certificate configuration is visible if you use the show runningconfig command. Instead use the commands appropriate for displaying digital certificate
information. For more information, see Viewing the certificate details on page 55.
Certificate order priority
Use the following information to understand the certificate order priority when the TLS server and
switch connect.
The TLS server selects the server certificate in the following order:
1. A CA-signed certificate if the certificate is already present in the /intflash/.cert/
folder on the switch.
2. A self-signed certificate if the certificate is already present in the /intflash/.cert/
folder on the switch.
December 2017
Configuring Security on VOSS
31
Security
If the server certificates are not available, TLS server generates a new self-signed certificate on
boot and uses that by default. The self-signed certificate is available
in /.intflash/.cert/.ssl. You can choose to use an online or offline CA signed certificate
which will take precedence over the self-signed one.
SSL-based self-signed certificate
Some earlier releases use the default certificate available in the /intflash/.ssh folder, which
is the open SSL-based self-signed certificate that is named host.cert.
To use the Mocana stack based self-signed certificate, delete the open SSL self-signed certificate
prior to upgrading your software release. The Mocana certificate offers better and stronger
encryption.
If a user does not delete the host.cert file in the /intflash/.ssh folder used in earlier releases,
forcefully generates a self-signed certificate automatically during upgrade or post upgrade using
the command config ssl certificate.
If you have a subscribed CA-signed certificate renamed as host.cert in folder /intflash/.ssh
in the previous release, it cannot be reused now.
To use your subscribed CA-signed certificate, upgrade with the Mocana-based self-signed
certificate, and then use the digital certificates feature to install a CA-signed certificate through the
online or offline method.
You cannot obtain a CA-signed certificate and rename the certificate as host.cert. You must use
the online or offline method to obtain certificate.
Security configuration using CLI
Configure security information used on the control and data paths to protect the network from
uncontrolled access to network resources.
For more information about how to configure passwords and access policies, see Administering.
Enabling hsecure
The hsecure flag is disabled by default. When you enable it, the software enforces the 10
character rule for all passwords.
About this task
When you upgrade from a previous release, if the password does not have at least 10 characters,
you receive a prompt to change your password to the mandatory 10-character length.
If you enable hsecure for the first time and the password file does not exist, then the device
creates a normal default username (rwa) and password (rwa). In this case, the password does not
meet the minimum requirements for hsecure and as a result the system prompts you to change
the password.
December 2017
Configuring Security on VOSS
32
Security configuration using CLI
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable or disable hsecure mode:
boot config flags hsecure
The following warning messages appear:
Warning: For security purposes, all unsecure services - TFTP, FTP, Rlogin,
Telnet, SNMP are disabled. Individually enable the required services.
Warning: Please save boot configuration and reboot the switch for this to take
effect.
3. Save the configuration and restart the device for the change to take effect.
Example
Switch:1> enable
Switch:1# configure terminal
Enable hsecure mode:
Switch:1(config)# boot config flags hsecure
Warning: For security purposes, all unsecure services - TFTP, FTP,
Rlogin, Telnet, SNMP are disabled. Individually enable the required
services. Warning: Please save boot configuration and reboot the switch
for this to take effect.
Save the configuration:
Switch:1(config)# save config
Restart the switch:
Switch:1(config)# reset
Are you sure you want to reset the switch (y/n)? y
Changing an invalid-length password
Before you begin
Important:
When you enable hsecure, passwords must contain a minimum of 10 characters or numbers
with a maximum of 20. The password must contain a minimum of: two uppercase characters,
two lowercase characters, two numbers, and two special characters.
December 2017
Configuring Security on VOSS
33
Security
About this task
After you enable hsecure and restart the system, change your password if you have an invalidlength password.
Procedure
1. At the CLI prompt, log on to the system.
2. Enter the password.
When you have an invalid-length password, the following message appears:
Your password is valid but less than mandatory 10 characters.
Please change the password to continue.
3. When prompted, enter the new password.
4. When prompted, reenter the new password.
Example
Log on to the switch:
Login: rwa
Enter the password:
Password: ***
Your password is valid but less than mandatory 10 characters. Please
chnage the password to continue.
Enter the new password:
Enter the new password: **********
Re-enter the new password:
Re-enter the new password: **********
Password successfully changed.
Changing passwords
Configure new passwords for each access level, or change the logon or password for the different
access levels of the switch. After you receive the switch, use default passwords to initially access
CLI. If you use Simple Network Management Protocol version 3 (SNMPv3), you can change
encrypted passwords.
Before you begin
• You must use an account with read-write-all privileges to change passwords. For security, the
switch saves passwords to a hidden file.
December 2017
Configuring Security on VOSS
34
Security configuration using CLI
About this task
If you enable the hsecure flag, after the aging time expires, the system prompts you to change
your password. If you do not configure the aging time, the default is 90 days.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Change a password:
cli password WORD<1–20> {layer1|layer2|layer3|read-only|read-write|
read-write-all}
3. Enter the old password.
4. Enter the new password.
5. Enter the new password a second time.
6. Configure password options:
password access-level WORD<2–8>
password aging-time day <1-365>
password default-lockout-time <60-65000>
password lockout WORD<0–46> [time <60-65000>]
password min-passwd-len <10-20>
password password-history <3-32>
Example
Switch:1>enable
Switch:1#configure terminal
Change a password:
Switch:1(config)# password smith read-write-all
Enter the old password:
Switch:1(config)#*********
Enter the new password:
Switch:1(config)#*********
Enter the new password a second time:
Switch:1(config)#*********
Set password to an access level of read-write-all and the expiration period for the password to 60
days:
December 2017
Configuring Security on VOSS
35
Security
Switch:1(config)#access-level rwa aging-time 60
Variable definitions
Use the data in the following table to use the cli password command.
Table 2: Variable definitions
Variable
Value
layer1|layer2|layer3|read-only|read-write|read-writeall
Changes the password for the specific access level.
WORD<1–20>
Specifies the user logon name.
Use the data in the following table to use the password command.
Table 3: Variable definitions
Variable
Value
access level WORD<2–8>
Permits or blocks this access level. The available
access level values are as follows:
• l1
• l2
• l3
• ro
• rw
• rwa
aging-time day <1-365>
Configures the expiration period for passwords in
days, from 1–365. The default is 90 days.
default-lockout-time <60-65000>
Changes the default lockout time after three invalid
attempts. Configures the lockout time, in seconds,
and is in the 60–65000 range. The default is 60
seconds.
To configure this option to the default value, use the
default operator with the command.
lockout WORD<0–46> time <60-65000>
Configures the host lockout time.
• WORD<0–46> is the host IP address in the
format a.b.c.d.
• <60-65000> is the lockout-out time, in seconds, in
the 60–65000 range. The default is 60 seconds.
min-passwd-len <10-20>
December 2017
Configures the minimum length for passwords in
high-secure mode. The default is 10 characters.
Table continues…
Configuring Security on VOSS
36
Security configuration using CLI
Variable
Value
To configure this option to the default value, use the
default operator with the command.
password-history <3-32>
Specifies the number of previous passwords the
switch stores. You cannot reuse a password that is
stored in the password history. The default is 3.
To configure this option to the default value, use the
default operator with the command.
Configuring directed broadcast
A directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet.
When you disable (or suppress) directed broadcasts on an interface, all frames sent to the subnet
broadcast address for a local router interface are dropped. Disabling directed broadcasts protects
hosts from possible denial-of-service (DOS) attacks. By default, this feature is enabled on the
device.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
2. Configure the switch to forward directed broadcasts for a VLAN:
ip directed-broadcast enable
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 2
Switch:1(config-if)#ip directed-broadcast enable
Variable definitions
Use the data in the following table to use the ip directed-broadcast command.
Table 4: Variable definitions
Variable
Value
enable
Enables the device to forward directed broadcast frames to the specified VLAN. The
default setting for this feature is enabled.
December 2017
Configuring Security on VOSS
37
Security
Preventing certain types of DOS attacks
Protect the switch against IP packets with illegal IP addresses such as loopback addresses or a
source IP address of ones, or Class D or Class E addresses from being routed. The switch
supports high-secure configurable flag.
About this task
Important:
After you enable this flag, the desired behavior (not routing source packets with an IP address
of 255.255.255.255) applies to all ports that belong to the same port.
Important:
The setting to enable hsecure only takes effect for packets going to the CP; not to datapath
traffic.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable high-secure mode:
high-secure [port {slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}] enable
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 1/16
Switch:1(config-if)# high-secure enable
Variable definitions
Use the data in the following table to use the high-secure command.
December 2017
Configuring Security on VOSS
38
Security configuration using CLI
Variable
Value
port {slot/port[/sub-port] [slot/port[/sub-port]] [,...]}
Specifies the port on which you want to enable high-secure mode.
enable
Identifies the slot and port in one of the following formats: a single slot and
port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your platform supports
channelization and the port is channelized, you must also specify the subport in the format slot/port/sub-port.
Enables the high-secure feature that blocks packets with illegal IP
addresses. This flag is disabled by default. Use the no operator to remove
this configuration. To configure this option to the default value, use the
default operator with the command.
Configuring port lock
Configure port lock to administratively lock a port or ports to prevent other users from changing
port parameters or modifying port action. You cannot modify a locked port until you unlock the
port.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable port lock globally:
portlock enable
3. Enter GigabitEthernet Interface Configuration mode:
interface gigabitethernet {slot/port[/sub-port] [-slot/port[/subport]] [,...]}
4. Lock a port:
lock [port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]
enable
Example
Switch:1> enable
Switch:1# configure terminal
Log on to GigabitEthernet Interface Configuration mode:
Switch:1(config)# interface GigabitEthernet 1/1
Lock port 1/1:
Switch:1(config-if)# lock port 1/1 enable
December 2017
Configuring Security on VOSS
39
Security
Unlock port 1/1:
Switch:1(config-if)# no lock port 1/1 enable
Variable definitions
Use the data in the following table to use the interface gigabitethernet command.
Variable
Value
{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
Use the data in the following table to use the lock port command.
Variable
Value
{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
Specifies the port you want to lock.
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
The default is disabled.
Unicast Reverse Path Forwarding configuration using CLI
This section provides CLI procedures for Unicast Reverse Path Forwarding configuration.
Enabling urpf-mode boot flag
To configure Unicast Reverse Path Forwarding on a port or VLAN, you are required to enable the
urpf-mode boot flag. If you try to configure uRPF on an interface, that is, enable or change the urpf
operating mode with the urpf-mode boot flag disabled, a consistency check error message is
displayed: Unicast Reverse Path Forwarding configuration is not supported
when urpf-mode boot flag is disabled.
About this task
Use the following procedure to enable the urpf-mode boot flag. By default, urpf-mode is disabled.
Procedure
1. Enter Global Configuration mode:
December 2017
Configuring Security on VOSS
40
Security configuration using CLI
enable
configure terminal
2. Enable the urpf-mode boot flag:
boot config flags urpf-mode
3. When you get the following prompt to reboot the switch, enter y to reboot.
The new setting requires a reboot to take effect!
The configuration will be saved and rebooted.
Are you sure you want to re-boot the switch (y/n)?
Note:
If you enter n, the following message is displayed: Warning: Please save the
configuration and reboot the switch for this configuration to
take effect.
4. Check the status of the urpf-mode boot flag:
show boot config flags
Example
Enable the urpf-mode boot flag:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# boot config flags urpf-mode
The new setting requires a reboot to take effect!
The configuration will be saved and rebooted.
Are you sure you want to re-boot the switch (y/n)? y
View the status of the urpf-boot flag:
Switch:1>enable
Switch:1#show boot config flags
flags block-snmp false
flags debug-config file
flags debugmode false
flags dvr-leaf-mode false
flags enhancedsecure-mode false
flags factorydefaults false
flags flow-control-mode false
flags ftpd true
flags ha-cpu true
flags hsecure false
flags linerate-directed-broadcast false
flags ipv6-mode false
flags logging true
flags nni-mstp false
flags reboot true
flags rlogind false
flags savetostandby true
flags spanning-tree-mode mstp
flags spbm-config-mode false
flags sshd true
flags telnetd true
flags tftpd true
December 2017
Configuring Security on VOSS
41
Security
flags
flags
flags
flags
flags
trace-logging false
urpf-mode false
verify-config true
vrf-scaling false
vxlan-gw-full-interworking-mode false
Note:
The following boot config flags are not supported on all hardware models:
• ha-cpu flag
• ipv6-mode flag
• linerate-directed-broadcast
• savetostandby flag
• vxlan-gw-full-interworking-mode flag
Configuring unicast reverse path forwarding on a port
About this task
You can use the Unicast Reverse Path Forwarding (uRPF) feature to reduce the problems that are
caused by the introduction of malformed or forged (spoofed) IP source addresses into a network.
When you enable uRPF, the switch performs a check to determine if the source IP address of the
packet is verifiable. If the address is not verifiable, the system drops the packet.
uRPF runs in two modes:
• strict mode
• loose mode (exist-only mode)
Before you begin
• You must enable the urpf-mode boot flag. See Enabling urpf-mode boot flag on page 40.
Note:
When you try to configure uRPF on an interface, that is, enable or change the urpf
operating mode with the urpf-mode boot flag disabled, a consistency check error
message is displayed: Unicast Reverse Path Forwarding configuration is
not supported when urpf-mode boot flag is disabled.
• You must log on to the GigabitEthernet Interface Configuration mode in CLI.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
December 2017
Configuring Security on VOSS
42
Security configuration using CLI
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Set or change the urpf operating mode on a port:
For IPv4, enter: ip rvs-path-chk mode {strict|exist-only}
For IPv6, enter: ipv6 rvs-path-chk mode {strict|exist-only}
Note:
3. Verify the configuration on the port:
For IPv4, enter: show ip interface gigabitethernet
For IPv6, enter: show ipv6 interface gigabitethernet
Example
Example for IPv4:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 1/10
Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ip rvs-path-chk mode strict
Verify the configuration on the port:
Switch:1(config-if)# show ip interface gigabitethernet
=============================================================================================
Brouter Port Ip
=============================================================================================
PORT VRF
IP_ADDRESS
NET_MASK
BROADCAST REASM
ADVERTISE DIRECT RPC
RPCMODE
NUM NAME
MAXSIZE WHEN_DOWN BCAST
--------------------------------------------------------------------------------------------1/1 Glob~ 192.0.2.1
255.255.255.0 ones
1500
disable
disable disable exist-only
1/10 spbo~ 198.51.100.1 255.255.255.0 ones
1500
disable
disable disable exist-only
PORT VRF
NUM
NAME
-------------------------------------------------------------------------------1/1
GlobalRouter
1/10 spboip
Example for IPv6:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 4/16
Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ipv6 rvs-path-chk mode strict
Verify the configuration on the port:
Switch:1(config-if)#show ipv6 interface gigabitethernet
========================================================================================================================
==
Port Ipv6 Interface
========================================================================================================================
==
IFINDX BROUTER PHYSICAL
ADMIN
OPER TYPE MTU HOP REACHABLE
RETRANSMIT MCAST
IPSEC
RPC
RPCMODE
December 2017
Configuring Security on VOSS
43
Security
INDX
ADDRESS
STATE
STATE
LMT TIME
TIME
STATUS
------------------------------------------------------------------------------------------------------------------------192
4/16
e4:5d:52:3c:65:02 enable down ETHER 1500 2
30000
1000
disable disable disable
existonly
====================================================================================================
Port Ipv6 Address
====================================================================================================
IPV6 ADDRESS
BROUTER
TYPE
ORIGIN
STATUS
---------------------------------------------------------------------------------------------------2001:DB8:0:0:0:0:0:ffff/64
4/16
UNICAST MANUAL
INACCESSIBLE INF
INF
2001:DB8:0:0:e65d:52ff:fe3c:6502/64
4/16
UNICAST LINKLAYER INACCESSIBLE INF
INF
1 out of 5 Total Num of Interface Entries displayed.
2 out of 10 Total Num of Address Entries displayed.
Variable definitions
Use the data in the following table to use the ip rvs-path-chk mode and ipv6 rvs-path-chk mode
commands.
Variable
Value
mode{strict|exist-only}
Specifies the mode for Unicast Reverse Path
Forwarding (uRPF). In strict mode, uRPF checks
whether the source IP address of the incoming
packet exists in the FIB. If the incoming interface is
not the best reverse path, the packet check fails
and uRPF drops the packet. In exist-only mode,
uRPF checks whether the source IP address of the
incoming packet exists in the FIB. The packet is
dropped only if the source address is not reachable
via any interface on that router.
Configuring unicast reverse path forwarding on a VLAN
About this task
Use the Unicast Reverse Path Forwarding (uRPF) feature to reduce the problems that are caused
by the introduction of malformed or forged (spoofed) IP source addresses into a network. When
you enable uRPF, the switch performs a check to determine if the source IP address of the packet
is verifiable. If the address is not verifiable, the system drops the packet.
uRPF runs in two modes:
• strict mode
• loose mode (exist-only mode)
Before you begin
• You must enable the urpf-mode boot flag.
Note:
When you try to configure uRPF on an interface, that is, enable or change the urpf
operating mode with the urpf-mode boot flag disabled, a consistency check error
message is displayed: Unicast Reverse Path Forwarding configuration is
not supported when urpf-mode boot flag is disabled.
• You must log on to the VLAN Interface Configuration mode in CLI.
December 2017
Configuring Security on VOSS
44
Security configuration using CLI
Important:
You must assign a valid IP address to the selected port.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
2. Set or change the urpf operating mode on a VLAN:
For IPv4, enter: ip rvs-path-chk mode {strict|exist-only}
For IPv6, enter: ipv6 rvs-path-chk mode {strict|exist-only}
3. Verify the configuration on the VLAN:
For IPv4, enter: show interfaces vlan ip
For IPv6, enter: show ipv6 interface vlan
Example
Example for IPv4:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface vlan 2
Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ip rvs-path-chk mode exist-only
Verify the configuration on the VLAN:
Switch:1(config-if)# show interfaces vlan ip
==============================================================================================================
Vlan Ip
==============================================================================================================
VLAN VRF
IP
NET
BCASTADDR REASM
ADVERTISE DIRECTED RPC
RPCMODE
RMON
ID
NAME
ADDRESS
MASK
FORMAT
MAXSIZE WHEN_DOWN BROADCAST
-------------------------------------------------------------------------------------------------------------1050 Globa~ 192.0.2.9
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1102 Globa~ 198.51.100.1 255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1133 iir3
192.0.2.10
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1500 spboip 192.0.2.11
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1590 spboip 198.51.100.2 255.255.255.0
ones
1500
disable
disable
disable exist-only disable
4057 Globa~ 192.0.2.12
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
All 16 out of 16 Total Num of Vlan Ip Entries displayed
VLAN VRF
ID
NAME
-------------------------------------------------------------------------------1050 GlobalRouter
1102 GlobalRouter
1133 iir3
1500 spboip
1590 spboip
4057 GlobalRouter
All 16 out of 16 Total Num of Vlan Ip Entries displayed
December 2017
Configuring Security on VOSS
45
Security
Example for IPv6:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface vlan 2
Check whether the source IP address of the incoming packet exists in the FIB table:
Switch:1(config-if)# ipv6 rvs-path-chk mode exist-only
Verify the configuration on the VLAN:
Switch:1(config-if)# show ipv6 interface vlan
========================================================================================================================
Vlan Ipv6 Interface
========================================================================================================================
IFINDX VLAN PHYSICAL
ADMIN
OPER TYPE MTU HOP REACHABLE
RETRANSMIT MCAST
IPSEC
RPC
RPCMODE
INDX
ADDRESS
STATE
STATE
LMT TIME
TIME
STATUS
-----------------------------------------------------------------------------------------------------------------------3170
1122 2c:f4:c5:dc:b4:89 enable up
ETHER 1500 64 30000
1000
disable disable disable existonly
3174
1126 2c:f4:c5:dc:b4:8b enable up
ETHER 1500 64 30000
1000
disable disable disable existonly
3185
1137 2c:f4:c5:dc:b4:90 enable up
ETHER 1500 64 30000
1000
disable disable disable existonly
================================================================================
Vlan Ipv6 Address
================================================================================
IPV6 ADDRESS
VLAN-ID
TYPE
ORIGIN
STATUS
-------------------------------------------------------------------------------2001:db8:0:0:0:0:0:1
V-1122
UNICAST MANUAL
PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b489
V-1122
UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1
V-1126
UNICAST MANUAL
PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b48b
V-1126
UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1
V-1137
UNICAST MANUAL
PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b490
V-1137
UNICAST LINKLAYER PREFERRED
3 out of 4 Total Num of Interface Entries displayed.
6 out of 7 Total Num of Address Entries displayed.
Variable definitions
Use the data in the following table to use the ip rvs-path-chk mode and ipv6 rvs-path-chk mode
commands.
Variable
Value
mode{strict|exist-only}
Specifies the mode for Unicast Reverse Path
Forwarding (uRPF). In strict mode, uRPF checks
whether the source IP address of the incoming
packet exists in the FIB. If the incoming interface is
not the best reverse path, the packet check fails
and uRPF drops the packet. In exist-only mode,
uRPF checks whether the source IP address of the
incoming packet exists in the FIB. The packet is
dropped only if the source address is not reachable
via any interface on that router.
Viewing unicast reverse path forwarding configuration on a port
About this task
Use the following procedure to view the status of the uRPF configuration on a port.
Before you begin
• You must enable the urpf-mode boot flag.
December 2017
Configuring Security on VOSS
46
Security configuration using CLI
Note:
When you try to configure uRPF on an interface, that is, enable or change the urpf
operating mode with the urpf-mode boot flag disabled, a consistency check error
message is displayed: Unicast Reverse Path Forwarding configuration is
not supported when urpf-mode boot flag is disabled.
• You must log on to the GigabitEthernet Interface Configuration mode in CLI.
• You must configure unicast reverse path forwarding on a port.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Verify the configuration on the port:
For IPv4, enter: show ip interface gigabitethernet
For IPv6, enter: show ipv6 interface gigabitethernet
Example
Example for IPv4:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 1/10
Verify the configuration on the port:
Switch:1(config-if)# show ip interface gigabitethernet
=============================================================================================
Brouter Port Ip
=============================================================================================
PORT VRF
IP_ADDRESS
NET_MASK
BROADCAST REASM
ADVERTISE DIRECT RPC
RPCMODE
NUM NAME
MAXSIZE WHEN_DOWN BCAST
--------------------------------------------------------------------------------------------1/1 Glob~ 192.0.2.3
255.255.255.0 ones
1500
disable
disable disable exist-only
1/10 spbo~ 198.51.100.4 255.255.255.0 ones
1500
disable
disable disable exist-only
PORT VRF
NUM
NAME
-------------------------------------------------------------------------------1/1
GlobalRouter
1/10 spboip
Example for IPv6:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 4/16
December 2017
Configuring Security on VOSS
47
Security
Verify the configuration on the port:
Switch:1(config-if)#show ipv6 interface gigabitethernet
========================================================================================================================
=====
Port Ipv6 Interface
========================================================================================================================
=====
IFINDX BROUTER PHYSICAL
ADMIN
OPER TYPE MTU HOP REACHABLE
RETRANSMIT MCAST
IPSEC
RPC
RPCMODE
INDX
ADDRESS
STATE
STATE
LMT TIME
TIME
STATUS
---------------------------------------------------------------------------------------------------------------------------192
4/16
e4:5d:52:3c:65:02 enable down ETHER 1500 2
30000
1000
disable disable disable
existonly
====================================================================================================
Port Ipv6 Address
====================================================================================================
IPV6 ADDRESS
BROUTER
TYPE
ORIGIN
STATUS
---------------------------------------------------------------------------------------------------2001:db8:0:0:0:0:0:ffff/64
4/16
UNICAST MANUAL
INACCESSIBLE INF
INF
2001:db8:0:0:e65d:52ff:fe3c:6502/64
4/16
UNICAST LINKLAYER INACCESSIBLE INF
INF
1 out of 5 Total Num of Interface Entries displayed.
2 out of 10 Total Num of Address Entries displayed.
Viewing unicast reverse path forwarding configuration on a VLAN
About this task
Use the following procedure to view the status of the uRPF configuration on a VLAN.
Before you begin
• You must enable the urpf-mode boot flag.
Note:
When you try to configure uRPF on an interface, that is, enable or change the urpf
operating mode with the urpf-mode boot flag disabled, a consistency check error
message is displayed: Unicast Reverse Path Forwarding configuration is
not supported when urpf-mode boot flag is disabled.
• You must log on to the VLAN Interface Configuration mode in CLI.
Important:
You must assign a valid IP address to the selected port.
• You must configure unicast reverse path forwarding on a VLAN.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
2. Verify the configuration on the VLAN:
For IPv4, enter: show interfaces vlan ip
For IPv6, enter: show ipv6 interface vlan
December 2017
Configuring Security on VOSS
48
Security configuration using CLI
Example
Example for IPv4:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface vlan 2
Verify the configuration on the VLAN:
Switch:1(config-if)# show interfaces vlan ip
==============================================================================================================
Vlan Ip
==============================================================================================================
VLAN VRF
IP
NET
BCASTADDR REASM
ADVERTISE DIRECTED RPC
RPCMODE
RMON
ID
NAME
ADDRESS
MASK
FORMAT
MAXSIZE WHEN_DOWN BROADCAST
-------------------------------------------------------------------------------------------------------------1050 Globa~ 192.0.2.9
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1102 Globa~ 198.51.100.1 255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1133 iir3
192.0.2.10
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1500 spboip 192.0.2.11
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
1590 spboip 198.51.100.2 255.255.255.0
ones
1500
disable
disable
disable exist-only disable
4057 Globa~ 192.0.2.12
255.255.255.0
ones
1500
disable
disable
disable exist-only disable
All 16 out of 16 Total Num of Vlan Ip Entries displayed
VLAN VRF
ID
NAME
-------------------------------------------------------------------------------1050 GlobalRouter
1102 GlobalRouter
1133 iir3
1500 spboip
1590 spboip
4057 GlobalRouter
All 16 out of 16 Total Num of Vlan Ip Entries displayed
Example for IPv6:
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface vlan 2
Verify the configuration on the VLAN:
Switch:1(config-if)# show ipv6 interface vlan
========================================================================================================================
=====
Vlan Ipv6 Interface
========================================================================================================================
=====
IFINDX VLAN PHYSICAL
ADMIN
OPER TYPE MTU HOP REACHABLE
RETRANSMIT MCAST
IPSEC
RPC
RPCMODE
INDX
ADDRESS
STATE
STATE
LMT TIME
TIME
STATUS
---------------------------------------------------------------------------------------------------------------------------3170
1122 2c:f4:c5:dc:b4:89 enable up
ETHER 1500 64 30000
1000
disable disable disable existonly
3174
1126 2c:f4:c5:dc:b4:8b enable up
ETHER 1500 64 30000
1000
disable disable disable existonly
3185
1137 2c:f4:c5:dc:b4:90 enable up
ETHER 1500 64 30000
1000
disable disable disable existonly
================================================================================
Vlan Ipv6 Address
================================================================================
IPV6 ADDRESS
VLAN-ID
TYPE
ORIGIN
STATUS
-------------------------------------------------------------------------------2001:db8:0:0:0:0:0:1
V-1122
UNICAST MANUAL
PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b489
V-1122
UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1
V-1126
UNICAST MANUAL
PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b48b
V-1126
UNICAST LINKLAYER PREFERRED
2001:db8:0:0:0:0:0:1
V-1137
UNICAST MANUAL
PREFERRED
2001:db8:0:0:2ef4:c5ff:fedc:b490
V-1137
UNICAST LINKLAYER PREFERRED
3 out of 4 Total Num of Interface Entries displayed.
6 out of 7 Total Num of Address Entries displayed.
December 2017
Configuring Security on VOSS
49
Security
Digital certificate configuration using CLI
The following section provides procedures to configure digital certificates using CLI.
Configuring device subject parameters
About this task
Use this procedure to configure the device subject parameters to identify the device, such as the
name, Email ID, company, department, and location.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the subject parameters of the device:
certificate subject {[common-name WORD<0–64>] [e-mail WORD<0-254>]
[unit WORD<0-64>] [organization WORD<0-64>] [locality WORD<0-128>]
[province WORD<0-128>] [country WORD<0–128>]}
3. (Optional) Delete a subject parameter:
no certificate subject {[common-name] [e-mail] [unit]
[organization] [locality] [province] [country]}
4. (Optional) Configure the default subject parameters of the device:
default certificate subject
Example
Configuring subject parameters:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)# certificate subject common-name Self e-mail example@company.com unit
Engineering organization Company locality SanFrancisco province California country US
Variable definitions
Use the data in the following table to use the Certificate Subject command.
Variable
Value
common-name
WORD<0–64>
Specifies the name of the subject sending the Certificate Signing Request to
the Certificate Authority.
e-mail WORD<0-254>
Specifies the Email address of the subject sending the Certificate Signing
Request to the Certificate Authority.
unit WORD<0-64>
Specifies the organizational unit of the subject sending the Certificate Signing
Request to the Certificate Authority.
Table continues…
December 2017
Configuring Security on VOSS
50
Security configuration using CLI
Variable
Value
organization
WORD<0-64>
Specifies the organization of the subject sending the Certificate Signing
Request to the Certificate Authority.
locality WORD<0-128>
Specifies the locality of the subject sending the Certificate Signing Request to
the Certificate Authority.
province WORD<0-128>
Specifies the province of the subject sending the Certificate Signing Request
to the Certificate Authority.
country WORD<0–128>
Specifies the country of the subject sending the Certificate Signing Request to
the Certificate Authority.
Generating key pair
About this task
Use the following procedure to generate the private and public key pair for the specific
cryptography type.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Generate the key pair:
certificate generate-keypair {type rsa size 2048}
3. (Optional) Delete a key pair:
no certificate generate-keypair
4. (Optional) Generate default key pair:
default certificate generate-keypair
Example
Generating the key pair:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#certificate generate-keypair type rsa size 2048
Variable definition
Use the data in the following table to use the certificate generate-keypair command.
Variable
Value
type rsa
Specifies type of cryptography algorithm used to generate the key-pair. The
switch uses only rsa as the cryptography algorithm type.
size 2048
Specifies the size or modulus of key-pair to be generated. The value should
be 2048.
December 2017
Configuring Security on VOSS
51
Security
Configuring a trustpoint CA
About this task
Use this procedure to configure the certificate authority and perform related actions. You can
configure only one CA in a device at a time.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the trustpoint by getting CA specific configuration parameters and perform
related actions:
certificate ca WORD<1–45> [common-name WORD<0–64>] [key-name
WORD<0–45>] [ca-url WORD<0–1000>] [use-post <true|false>] [action
<noop | caauth | {enroll [validity-days <7–1185>] | } | {renew
[validity-days <7–1185>] | install | remove | get-crl>] [installfile {root-ca-filename WORD<1–80>}]
a. Configure the trustpoint and associate it with the generated key pair:
certificate ca WORD<1–45> {[common-name WORD<0–64>] [key-name
WORD<0–45>] [ca-url WORD<0–1000>] [use-post <true|false>]}
b. Configure trustpoint and perform no other operation:
certificate ca WORD<1–45> action noop
c. Configure trustpoint, authenticate the trustpoint CA by getting the certificate of the CA,
and store the CA certificate locally:
certificate ca WORD<1–45> action caauth
d. Generate certificate signing request to obtain identity certificate from configured
trustpoint CA, get the digital certificate, and store it locally, associating with the
trustpoint CA:
certificate ca WORD<1–45> {action enroll [validity-days <7–
1185>]}
e. Generate certificate renew request for given trustpoint CA, get the new digital
certificate, and store it locally by replacing the old certificate with the new one:
certificate ca WORD<1–45> {action renew [validity-days <7–
1185>]}
f. Release the locally stored certificate associated with the trustpoint CA post
revocation.
certificate ca WORD<1–45> action remove
g. Install the subject certificate obtained from the given trustpoint CA:
certificate ca WORD<1–45> action install
December 2017
Configuring Security on VOSS
52
Security configuration using CLI
h. Get the Certificate Revocation List from the CDP and store into a file.
certificate ca WORD<1–45> action get-crl
3. Install the Root Certificate Authority’s certificate obtained offline:
certificate ca WORD<1–45> install–file {root-ca-filename WORD<1–
80>}
4. Set the HTTP request type to support the type of CA:
certificate ca WORD<1–45> use-post <false | true>
5. (Optional) Delete a trustpoint CA:
no certificate ca WORD<1–45> [[common-name] | [key-name] | [ca-url]
| [use-post] | [action]]
6. (Optional) Configure default trustpoint CA:
default certificate ca WORD<1–45>
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#certificate ca ej common-name subca5 key-name rsa_2048
Switch:1(config)#certificate ca ej action enroll
Switch:1(config)#CP1 [07/21/16 12:22:11.992:CEST] 0x003a8604 00000000 GlobalRouter
DIGITALCERT
INFO Digital Certificate Module : Configuration Saved
CP1 [07/21/16 12:22:12.284:CEST] 0x003a8639 00000000 GlobalRouter DIGITALCERT INFO
Sent SCEP
Request To CA : ej
CP1 [07/21/16 12:22:12.504:CEST] 0x003a8615 00000000 GlobalRouter DIGITALCERT INFO
Received SCEP
Response With SUCCESS status!
CP1 [07/21/16 12:22:12.508:CEST] 0x003a8611 00000000 GlobalRouter DIGITALCERT INFO
Enroll
Certificate Successful!
CP1 [07/21/16 12:22:12.509:CEST] 0x003a8604 00000000 GlobalRouter DIGITALCERT INFO
Digital
Certificate Module : Configuration Saved
Variable definition
Use the data in the following table to use the certificate ca command.
Variable
Value
ca WORD<1–45>
Specifies the name of the certification authority. It should be alphanumeric
and case-sensitive. The maximum length should be 45 characters.
common-name WORD<0– Specifies the name of the owner of the device or user.
64>
key-name WORD<0–45>
Specifies the key pair generated by the command that was first associated
with the CA trustpoint.
ca-url WORD<0–1000>
Specifies the trusted CA url.
use-post <false | true>
Specify the HTTP request style. The default value is True.
Table continues…
December 2017
Configuring Security on VOSS
53
Security
Variable
Value
For example, True for EJBCA and False for Win2012 CA.
action noop
Specifies that no operation should be performed after configuring trustpoint.
action caauth
Authenticates the trustpoint CA by getting the certificate of the CA and stores
the CA certificate locally.
action enroll [validity-days
<7–1185>]
Generates certificate signing request to obtain identity certificate from
configured trustpoint CA, gets the digital certificate, and stores it locally,
associating with the trustpoint CA.
The validity-days specifies the number of days for which the certificate will
remain valid. The default value is 365 days.
action renew [validity-days Generates certificate renewal request for given trustpoint CA, gets the digital
<7–1185>]
certificate, and stores it locally by replacing the old certificate with the new
one.
The validity-days specifies the number of days for which the certificate will
remain valid. The default value is 365 days.
action renew [challengeThis password is given offline by the CA during the end entity registration.
password WORD<0-128>] The length of the password is from 0 to 128.
action install
Installs the subject certificate obtained from the given trustpoint CA.
action remove
Releases the locally stored certificate associated with the trustpoint CA post
revocation.
action get-crl
Gets the Certificate Revocation List from the CDP and stores into a file.
install-file root-ca-filename
WORD<1–80>
Installs the Root CA file obtained offline from the CA.
Installing the certificate
About this task
Use this procedure to install CA, Root CA, subject certificate, or CRL file obtained offline from the
certification authority (CA).
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Install the certificate obtained from the CA:
certificate install-file {[offline-ca-filename WORD<1-80>] |
[offline-root-ca-filename WORD<1-80>] | [offline-subject-filename
WORD<1-80>] | [offline-crl-filename WORD<1-80>]}
3. (Optional) Uninstall the certificate obtained from the CA:
December 2017
Configuring Security on VOSS
54
Security configuration using CLI
no certificate install-file {[offline-ca-filename WORD<1-80>] |
[offline-root-ca-filename WORD<1-80>] | [offline-subject-filename
WORD<1-80>] | [offline-crl-filename WORD<1-80>]}
Variable definition
Use the data in the following table to use the certificate install-file command.
Variable
Definition
offline-ca-filename
WORD<1–80>
Specifies the CA file name obtained from the CA.
offline-root-ca-filename
WORD<1–80>
Specifies the Root CA file name obtained from the CA.
offline-subject-filename
WORD<1–80>
Specifies the subject certificate file name obtained from the CA.
offline-crl-filename
WORD<1–80>
Specifies the CRL file obtained from the CA.
Generating certificate signing request
About this task
Use this procedure to generate certificate signing request (CSR) and store it into a file. This CSR
is required to obtain the offline subject certificate.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Generate certificate signing request:
certificate generate-csr
Viewing the certificate details
About this task
Use this procedure for the following tasks:
• Displaying the digital certificate for given certificate type or list all the certificate details from
the local store for given certificate type.
• Displaying the CA details for a given trustpoint CA name or listing all the CA details from the
local store if the CA name is not specified.
• Displaying the configured key details for given key name.
• Displaying the configured subject details.
Procedure
1. Enter Privileged EXEC mode:
enable
December 2017
Configuring Security on VOSS
55
Security
2. Display the digital certificate for given certificate type:
show certificate cert-type [online-ca-cert] | [online-subject-cert]
| [offline-ca-cert] | [offline-subject-cert] | [intermediate-cacert WORD<1-80>] | [root-ca-cert WORD<1-80>]]
3. Display the certificate authority details:
show certificate ca WORD<1–45>
4. Display the name and public key of all the key-pairs:
show certificate key-name
5. Display the details of the configured subject:
show certificate subject
Example
Enter privileged exec mode:
Switch:1>en
Display the CA certificate details:
Switch:1(config)#show certificate ca
CA table entry
Name
:
caica2
CommonName
:
caica2
KeyName
:
rsa_2048
CaUrl
:
http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/
pkiclient.exe
UsePost
:
0
SubjectCertValidityDays
:
365
Action
:
no-op
LastActionStatus
:
success
LastActionFailureReason
:
Display the name and public key of all the key-pairs:
Switch:1(config)#show certificate key-name
Key Name: rsa_2048
Public Key Value:
00000000000000010000000102000000000301000100000100bcb8339f794b7ce8a90a7f3a238f07e176a483
37512173153ba5f6a2b33700db07957c4a1a7e6adb918ed046c2235e074fff4fcf15aa2e66c670ad14cee5d8
8a9023d666798943d58ab793578438291532a700037d9b5cf97ce1321c63e16462bbb7c0f8fafa1e386d651c
af6b6a8b4e707d1f7c247900d21f711acf1eba9e293aff7de0dbc30b9733d26179827676044ea04b77412142
dc6cd8fe9fc4ebc5173a6d7c82cbf52090046efec0efb0356282208c94b5b954c9fca38d3e39e0778474cb42
3a1c8d9feb4e64a1600a43d7d7d7b1db48dfa7b536772855b081c8d63aecd3f94832fa558565b8e9bf1f1b67
121aa7d4a381ff2c3dde78d65c271b83a9
Display the details of the configured subject:
Switch:1(config)#show
Common Name
:
Email Address
:
Organizational Unit :
Organization
:
Locality
:
Province
:
Country
:
December 2017
certificate subject
tlsenduser1
tlsenduser1@mocana.com
Engineering
Mocana
San Francisco
California
US
Configuring Security on VOSS
56
Security configuration using CLI
Display the Root CA certificate:
Switch:1(config)#show certificate cert-type root-ca-cert
CERT STORE table entry
Certificate Type
:
Root CA Certificate
CommonName
:
ca
VersionNumber
:
X.509 v3
SerialNumber
:
3f418444a5b29cbd
IssuerName
:
CN:ca, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore
:
10/26/16 12:37:22
ValidityPeriodNotAfter
:
10/26/18 12:37:22
CertificateSignatureAlgorithm
:
sha256withRSAEncryption
CertificateSignature
:
856f7e66ce1bcbc3853dc22f969aff9bbb357d8d4e34274098e7c3c0b78cf0aba04b6d64ec22b4bee1222433
42283348fb011edd25b44bf7b77d6cfb10eb662d97fafe6ce727622dfc205358513ceaef2a04bc1d46b13720
92ae34c222a69237388f62c1efd8d0386102a69aa495a3070994620f2896c157c273185e8b6cc405083973b3
8418d7efd9c992905df6e160c4bf3b916ec046c5291f9b2f280a178d5ac14ca6ee4ffc47059e522bbdafcc55
60c55612fbe3f6bcca603cec1ba0f24202ef6120c0f31259f6b5a80726ddf7f8b72359eac638b4a6289096db
0cdc23839d75ebe79dd3b5b7a365d1534a48f349dd3139d1e05e225711f07631ef5a2fbc
Subject
:
CN:ca, EM:, OU:, O:, L:, P:, C:
SubjectPublicKeyAlgorithm
:
rsaEncryption
SubjectPublicKey
:
00000000000000010000000102000000000301000100000100a0457dd22f1ff11a2c4f01f5fedcda5b26d88a
167f056b2c915e690b3a2c1e30373a8e14e5f23586aaa9e68544bf8b5931f0dff6057936c3e8f48d2430ce9b
df2c00d30da314f4d3a88d7e112593429005b7095f8e4aec18fda5d1697d35882eab98796ae0fe20994edc5a
5b1379521a65d9e168e6bfe6d842139a294c94aac122e51d7a5438ad8bf00f5098857a557a4f69f4b21bd08c
9213d3458a7fb7c644c7fcb4806fb4f683941f7701cb131ffc2444aac314be88fb717c135bc7416390de4925
d833e889362caefbaf1079656206acc5cfe424edc30e2cd7853223c505e3fefd28cc35c94c14742a912baee7
f4197f680a91b69d496ea67b87cbd0c399
HasBasicConstraint
:
1
HasKeyUsage
:
1
IsCa
:
1
KeyUsage
:
103 digitalSignature nonRepudiation
keyEncipherment keyCertSign cRLSign
ExtendedKeyUsage
:
TLS Web Server Authentication, OCSP Signing,
CDPUrl
:
OCSPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/status/ocsp
CertificateFileName
:
/intflash/.cert/.rootCACertStore/root_ca_cert_ca.der
Display the Intermediate CA certificate:
Switch:1(config)# show certificate cert-type intermediate-ca-cert
CERT STORE table entry
Certificate Type
:
Intermediate CA Certificate
CommonName
:
newsubca
VersionNumber
:
X.509 v3
SerialNumber
:
59f0b1a73c93b194
IssuerName
:
CN:ca, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore
:
10/27/16 09:49:59
ValidityPeriodNotAfter
:
10/26/18 12:37:22
CertificateSignatureAlgorithm
:
sha256withRSAEncryption
CertificateSignature
:
65c2bed6f0333d6bbc5aea24d682061cfebefeb4bea8f74b3687cb72d700aabcf38af039dbff1e3d818627c5
a27bfb4310c5fdd8db7eaea7bfb06275bc86f1e479ed0ca5ec7a828b44f862e294ea4bd39a3a38b2ec5c87f2
fb5baf98a856f380d9ec9f022ba5b05c328556233b7dc5d1359edc08966a194311eb76965ce509439a224c5c
0004688cfdf154a855a80fd385538e00f5644792f9e496def7e293b2a20a60c782cc9bfcddc448e15024a0a4
9caa2bbefc82fa71cbda495915910a4363e5d7d95303d44a14e95932b1797ecc252e7ffa4d7cb8d270c693ce
bbf3e632f1accbe6920460496d1f873d35b92c5430cb870d84d61d0556eea94a003e6785
Subject
:
CN:newsubca, EM:, OU:, O:, L:, P:, C:
SubjectPublicKeyAlgorithm
:
rsaEncryption
SubjectPublicKey
:
00000000000000010000000102000000000301000100000100a0457dd22f1ff11a2c4f01f5fedcda5b26d88a
167f056b2c915e690b3a2c1e30373a8e14e5f23586aaa9e68544bf8b5931f0dff6057936c3e8f48d2430ce9b
December 2017
Configuring Security on VOSS
57
Security
df2c00d30da314f4d3a88d7e112593429005b7095f8e4aec18fda5d1697d35882eab98796ae0fe20994edc5a
5b1379521a65d9e168e6bfe6d842139a294c94aac122e51d7a5438ad8bf00f5098857a557a4f69f4b21bd08c
9213d3458a7fb7c644c7fcb4806fb4f683941f7701cb131ffc2444aac314be88fb717c135bc7416390de4925
d833e889362caefbaf1079656206acc5cfe424edc30e2cd7853223c505e3fefd28cc35c94c14742a912baee7
f4197f680a91b69d496ea67b87cbd0c399
HasBasicConstraint
:
1
HasKeyUsage
:
1
IsCa
:
1
KeyUsage
:
119 digitalSignature nonRepudiation
keyEncipherment keyAgreement keyCertSign cRLSign
ExtendedKeyUsage
:
TLS Web Server Authentication, OCSP Signing,
CDPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/webdist/
certdist?cmd=crl&issuer=CN=ca
OCSPUrl
:
CertificateFileName
:
/intflash/.cert/.caCertStore/ca_cert_newsubca.der
Display the offline CA certificate:
Switch:1(config)#show certificate cert-type offline-ca-cert
CERT table entry
Certificate Type
:
Offline CA Certificate
VersionNumber
:
X.509 v3
SerialNumber
:
59f0b1a73c93b194
IssuerName
:
CN:ca, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore
:
10/27/16 09:49:59
ValidityPeriodNotAfter
:
10/26/18 12:37:22
CertificateSignatureAlgorithm
:
sha256withRSAEncryption
CertificateSignature
:
65c2bed6f0333d6bbc5aea24d682061cfebefeb4bea8f74b3687cb72d700aabcf38af039dbff1e3d818627c5
a27bfb4310c5fdd8db7eaea7bfb06275bc86f1e479ed0ca5ec7a828b44f862e294ea4bd39a3a38b2ec5c87f2
fb5baf98a856f380d9ec9f022ba5b05c328556233b7dc5d1359edc08966a194311eb76965ce509439a224c5c
0004688cfdf154a855a80fd385538e00f5644792f9e496def7e293b2a20a60c782cc9bfcddc448e15024a0a4
9caa2bbefc82fa71cbda495915910a4363e5d7d95303d44a14e95932b1797ecc252e7ffa4d7cb8d270c693ce
bbf3e632f1accbe6920460496d1f873d35b92c5430cb870d84d61d0556eea94a003e6785
Subject
:
CN:newsubca, EM:, OU:, O:, L:, P:, C:
SubjectPublicKeyAlgorithm
:
rsaEncryption
SubjectPublicKey
:
00000000000000010000000102000000000301000100000100a0457dd22f1ff11a2c4f01f5fedcda5b26d88a
167f056b2c915e690b3a2c1e30373a8e14e5f23586aaa9e68544bf8b5931f0dff6057936c3e8f48d2430ce9b
df2c00d30da314f4d3a88d7e112593429005b7095f8e4aec18fda5d1697d35882eab98796ae0fe20994edc5a
5b1379521a65d9e168e6bfe6d842139a294c94aac122e51d7a5438ad8bf00f5098857a557a4f69f4b21bd08c
9213d3458a7fb7c644c7fcb4806fb4f683941f7701cb131ffc2444aac314be88fb717c135bc7416390de4925
d833e889362caefbaf1079656206acc5cfe424edc30e2cd7853223c505e3fefd28cc35c94c14742a912baee7
f4197f680a91b69d496ea67b87cbd0c399
HasBasicConstraint
:
1
HasKeyUsage
:
1
IsCa
:
1
KeyUsage
:
119 digitalSignature nonRepudiation
keyEncipherment keyAgreement keyCertSign cRLSign
ExtendedKeyUsage
:
TLS Web Server Authentication, OCSP Signing,
CDPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/webdist/
certdist?cmd=crl&issuer=CN=ca
Display the offline subject certificate:
Switch:1(config)# show certificate cert-type offline-subject-cert
CERT table entry
Certificate Type
:
Offline Subject Certificate
VersionNumber
:
X.509 v3
SerialNumber
:
33f18af2c9ef62f5
IssuerName
:
CN:newsubca, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore
:
11/03/16 11:40:28
ValidityPeriodNotAfter
:
10/26/18 12:37:22
CertificateSignatureAlgorithm
:
sha256withRSAEncryption
December 2017
Configuring Security on VOSS
58
Security configuration using CLI
CertificateSignature
:
2fd70da6d5a8f272f0f1cfc237eccb419eabd3c2fc8ca3c147c8f4b04efe2ecd8060f83f1ce420c37285e8a4
a704249983e5b4545a9d0e7e684a03502d0d180ced5d2dd6747c8ab0f58b6f46ac56c6ff696dad6a93bd2c62
49b32e74070499f6f94b0814ae7c14f1893ab1f2ce764340007eb06338bba5935ac5729e20e680c593f77dfa
9aac96ea5ec1a884e28db4e68bfbea116beffdb91cb09ab9fc6ac2aaee0064a2ef241412b6ebe21564623b28
eaba14ff7f2a07691c7703c50bc63b25dd18d21f0f08e63a33ca75cd49cfe93a9b6ff540d439008ac8e83a23
93e94bf4b2e5fa1c3e3d8df1df538651f4936f9db117fd6adf0960eaf116a92c5bff7c06
Subject
:
CN:newsub1, EM:test@mocana.com, OU:Engineering,
O:Mocana, L:San Francisco, P:California, C:US
SubjectPublicKeyAlgorithm
:
rsaEncryption
SubjectPublicKey
:
00000000000000010000000102000000000301000100000100d35e399359ee6c24837a0394dff783c039bf4c
6fe02000e31fecfa0a67b36fd390b3a1c29229af4ed24972186fc4991655479db597967b3bdda95c00bd1c07
ca660ccf80aca1bccbe8cbe2db31a5cd5868433eb9ac85ab7b54438c4e0b2da260a13eef4900929514ee8bee
184df40f11c0c766a0e6ca89424f2f3753039e8e20e3809d20fa59d319ccaecee4a32a4ab1da9bf7f566241d
d76c11eb762ad320dafbcba73e658d0faa5ea1caf75f1e4889038a58b3e48e9e541bcb4f818eb9b3e84a57bc
6714e789067226953d740c6ef38d67d5ec891598f62248a337a1176bd3edef8adec606bbae9781b88d32c886
7629ddbc9f532338cf4ca53918dd98c609
HasBasicConstraint
:
1
HasKeyUsage
:
1
IsCa
:
0
KeyUsage
:
15 digitalSignature nonRepudiation
keyEncipherment dataEncipherment
ExtendedKeyUsage
:
TLS Web Server Authentication, OCSP Signing,
CDPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/webdist/
certdist?cmd=crl=&=CN=newsubca
OCSPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/status/ocsp
Status
:
offline-certificate
Installed
:
1
Display the online CA certificate:
Switch:1(config)#show certificate cert-type online-ca-cert
CERT table entry
Certificate Type
:
Online CA Certificate
VersionNumber
:
X.509 v3
SerialNumber
:
59f0b1a73c93b194
IssuerName
:
CN:ca, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore
:
10/27/16 09:49:59
ValidityPeriodNotAfter
:
10/26/18 12:37:22
CertificateSignatureAlgorithm
:
sha256withRSAEncryption
CertificateSignature
:
65c2bed6f0333d6bbc5aea24d682061cfebefeb4bea8f74b3687cb72d700aabcf38af039dbff1e3d818627c5
a27bfb4310c5fdd8db7eaea7bfb06275bc86f1e479ed0ca5ec7a828b44f862e294ea4bd39a3a38b2ec5c87f2
fb5baf98a856f380d9ec9f022ba5b05c328556233b7dc5d1359edc08966a194311eb76965ce509439a224c5c
0004688cfdf154a855a80fd385538e00f5644792f9e496def7e293b2a20a60c782cc9bfcddc448e15024a0a4
9caa2bbefc82fa71cbda495915910a4363e5d7d95303d44a14e95932b1797ecc252e7ffa4d7cb8d270c693ce
bbf3e632f1accbe6920460496d1f873d35b92c5430cb870d84d61d0556eea94a003e6785
Subject
:
CN:newsubca, EM:, OU:, O:, L:, P:, C:
SubjectPublicKeyAlgorithm
:
rsaEncryption
SubjectPublicKey
:
00000000000000010000000102000000000301000100000100a0457dd22f1ff11a2c4f01f5fedcda5b26d88a
167f056b2c915e690b3a2c1e30373a8e14e5f23586aaa9e68544bf8b5931f0dff6057936c3e8f48d2430ce9b
df2c00d30da314f4d3a88d7e112593429005b7095f8e4aec18fda5d1697d35882eab98796ae0fe20994edc5a
5b1379521a65d9e168e6bfe6d842139a294c94aac122e51d7a5438ad8bf00f5098857a557a4f69f4b21bd08c
9213d3458a7fb7c644c7fcb4806fb4f683941f7701cb131ffc2444aac314be88fb717c135bc7416390de4925
d833e889362caefbaf1079656206acc5cfe424edc30e2cd7853223c505e3fefd28cc35c94c14742a912baee7
f4197f680a91b69d496ea67b87cbd0c399
HasBasicConstraint
:
1
HasKeyUsage
:
1
IsCa
:
1
KeyUsage
:
119 digitalSignature nonRepudiation
keyEncipherment keyAgreement keyCertSign cRLSign
ExtendedKeyUsage
:
TLS Web Server Authentication, OCSP Signing,
December 2017
Configuring Security on VOSS
59
Security
CDPUrl
certdist?cmd=crl=&=CN=ca
OCSPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/webdist/
:
Display the online subject certificate:
Switch:1(config)#show certificate cert-type online-subject-cert
CERT table entry
Certificate Type
:
Online Subject Certificate
VersionNumber
:
X.509 v3
SerialNumber
:
18684a25b80768f9
IssuerName
:
CN:ca, EM:, OU:, O:, L:, P:, C:
ValidityPeriodNotBefore
:
11/07/16 12:36:43
ValidityPeriodNotAfter
:
10/26/18 12:37:22
CertificateSignatureAlgorithm
:
sha256withRSAEncryption
CertificateSignature
:
6efc5c0fe4f054e9800b029a08b4d2b2f205692379a74818c6c57baba49a2efce1f622397d3b31aa81d55e2f
b222610116e975900887d0e80d48718e080413c8d661a73503481a810f1559c97335a16bb53d1b08024fa6d5
68b156788670cf9d5cb34bdb10b1a8eb936869d4a2d2eeb96241865d685b018d0e094fea7b5a28f3e8d03c15
e1bafe2ba7ce18aaaddc22b6928e597756067758412d283c187123fbedf55c252fabd22ee85cbe558aed6070
db3aa8db117f923d6509d543895c7510843c77b2b438de10e8bea2b76375e27641a6e6aaffd2003b58802a5c
3d1b91e5f5f2d5a68fea4a82c95745b954cc93924aa451458db1707594c871d14511e6cd
Subject
:
CN:192.51.100.9, EM:test@mocana.com,
OU:Engineering, O:Mocana, L:San Francisco, P:California, C:US
SubjectPublicKeyAlgorithm
:
rsaEncryption
SubjectPublicKey
:
00000000000000010000000102000000000301000100000100928124a0e780954494d384b15276bb6fc6b9a8
8bb200bae0f7e8b9ce5fbea7387eff897e571362028b4678a491cbc9e74a2f985807c8ca48c5300cd17f349d
98055f1a6868cd24956efa80ffd9013ce448ab58f31ce6fa0aae1faf9b6b2347d046af754cac7deb75c55eea
7c582824d3f4fff9632d7044b532657777824105c1fd62584276be63c940effe5e307de1fe38fc50727cfdb6
799f3575e13451901ee16dbfcf7d18b6a78574f7230a90021b5b977571358871925239725044604e74edc4ee
236243682bdb30541cc8369580177179c92bec6891473827dcecb3046cadd78530a3b7cb3aad5126a95daaae
919f9355a232ad1611b897ac22a08b7ff7
HasBasicConstraint
:
1
HasKeyUsage
:
1
IsCa
:
0
KeyUsage
:
117 digitalSignature keyEncipherment
keyAgreement keyCertSign cRLSign
ExtendedKeyUsage
:
TLS Web Server Authentication, OCSP Signing,
CDPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/webdist/
certdist?cmd=crl=&=CN=ca
OCSPUrl
:
http://192.51.100.9:8080/ejbca/publicweb/status/ocsp
Status
:
active
Installed
:
1
Variable definition
Use the data in the following table to use the show certificate command.
Variable
Value
cert-type [online-ca-cert]
Specifies Certificate Authority's Certificate obtained
online from Certificate Authority.
cert-type [online-subject-cert]
Specifies subject certificate obtained online from
Certificate Authority.
cert-type [offline-ca-cert]
Specifies Certificate Authority's certificate obtained
offline from Certificate Authority.
Table continues…
December 2017
Configuring Security on VOSS
60
Security configuration using CLI
Variable
Value
cert-type [offline-subject-cert]
Specifies subject certificate obtained offline from
Certificate Authority.
cert-type [intermediate-ca-cert WORD<1-80>]
Specifies the intermediate certificate obtained
offline from Certificate Authority.
cert-type [root-ca-cert WORD<1-80>]
Specifies root certificate obtained offline from Root
Certificate Authority.
ca [WORD<1–45>]
Specifies name of the Certificate Authority.
If the name is not specified, the command displays
the CA details of all configured CA.
Job aid
This section describes the fields in the output for the different show certificate commands.
The following table describes the fields in the output for the show certificate cert-type
command
Parameter
Description
Certificate Type
Indicates the type of certificate.
• Root Certificate
• Offline subject certificate
• Online subject certificate
• Intermediate CA certificate
• Offline CA certificate
• Online CA certificate
VersionNumber
Indicates the certificate version number for the subject as issued by
the Certificate Authority.
SerialNumber
Indicates the certificate serial number for the subject as issued by the
Certificate Authority.
IssuerName
Indicates the certificate issuer name for the subject as issued by the
Certificate Authority.
ValidityPeriodNotBefore
Indicates the certificate validation period start date for the subject as
issued by the Certificate Authority.
ValidityPeriodNotAfter
Indicates the certificate validation period last date for the subject as
issued by the Certificate Authority.
CertificateSignatureAlgorithm
Indicates the algorithm used for the issuer's signature on the
certificate for the subject as issued by the Certificate Authority.
CertificateSignature
Indicates the issuer's signature on the certificate for the subject as
issued by the Certificate Authority.
Subject
Indicates the details of the subject on its certificate as issued by
Certificate Authority.
Table continues…
December 2017
Configuring Security on VOSS
61
Security
Parameter
Description
SubjectPublicKeyAlgorithm
Indicates the algorithm used to generate the subject's public key for
the certificate issued by the Certificate Authority.
SubjectPublicKey
Indicates the public key of the subject used for Certificate Signing
Request.
HasBasicConstraint
Indicates whether certificate contains basic certificate constraint.
HasKeyUsage
Indicates whether certificate contains basic key usage constraint.
IsCa
Indicates if the certificate is a CA certificate or not.
KeyUsage
Indicates the purpose of the key used in the certificate. It is
represented in the form of bits as follows:
• bit 0 - digitalSignature
• bit 1 - nonRepudiation
• bit 2 - keyEncipherment
• bit 3 - dataEncipherment
• bit 4 - keyAgreement
• bit 5 - keyCertSign
• bit 6 - cRLSign
• bit 7 - encipherOnly
• bit 8 - decipherOnly
ExtendedKeyUsage
Indicates the purpose for which the key is used in addition to or in
place of the basic purposes indicated in the key-usage field of the
certificate.
CDPUrl
Indicates the CDP URL present in the Digital Certificate Extensions
field.
OCSPUrl
Indicates the OCSP URL present in the Digital Certificate AIA field.
Status
Indicates the certificate status.
Installed
Indicates if the certificate is installed.
The following table describes the fields in the output for the show certificate ca command
Parameter
Description
Name
Indicates the user defined name referring to the Certificate Authority
issuing the Digital Certificate.
CommonName
Indicates the Common Name of the Certificate Authority issuing the
Digital Certificate.
KeyName
Indicates the generated key pair that was first associated with the CA
trustpoint.
CaUrl
Indicates the URL of the Certificate Authority issuing the Digital
Certificate.
Table continues…
December 2017
Configuring Security on VOSS
62
Security configuration using CLI
Parameter
Description
UsePost
Indicates if the HTTP request type is URL or POST. Where, TRUE
indicates EJBCA and FALSE indicates Win2012 CA.
SubjectCertValidityDays
Indicates number of days for which subject certificate is valid.
Action
Indicates the various actions that a Certificate Authority can take.
• noop - No operation
• caauth - Certificate Authority authentication
• enroll - Certificate Enrolment Request
• renew - Certificate Renew Request
• remove - Removes the subject certificate obtained online from the
Certificate Authority
• install - Installs the subject certificate obtained online from the
Cerificate Authority
• generateCsr - Generates the Certificate Signing Request required
to obtain the Offline Subject Certificate
LastActionStatus
Indicates the status of the last action.
• none - No action is performed yet
• success - Execution of the action triggered is completed
successfully
• failed - Execution of the action triggered has failed
• inProgress - Execution of the action triggered is in progress
LastActionFailureReason
Indicates the reason of failure for the last action performed by the
Certificate Authority.
The following table describes the fields in the output for the show certificate key-name
command
Parameter
Description
Key Name
Indicates the name of the key-pair generated for the subject. It is an
auto generated entity, generated as the combination of key-type and
key-size.
Public Key Value
Indicates the public key of the subject used to the Certificate Signing
Request.
The following table describes the fields in the output for the show certificate subject
command
Parameter
Description
CommonName
Indicates the Common Name field of the subject sending the
Certificate Signing Request (CSR ) to the Certificate Authority.
Table continues…
December 2017
Configuring Security on VOSS
63
Security
Parameter
Description
EmailAddress
Indicates the Email address of the subject sending the CSR to the
Certificate Authority.
OrganizationalUnit
Indicates the Organizational Unit field of the subject sending the CSR
to the Certificate Authority.
Organization
Indicates the Organization of the subject sending the CSR to the
Certificate Authority.
Locality
Indicates the name of the Locality of the subject sending the CSR to
the Certificate Authority.
Province
Indicates the Province name of the subject sending the CSR to the
Certificate Authority.
Country
Indicates the name of the country of the subject sending the CSR to
the Certificate Authority.
Digital certificate configuration examples
This section shows how to obtain an online CA signed certificate, remove the expired certificate,
renew the certificate, and install an offline subject certificate.
Obtaining an online CA-signed subject certificate
Use the following procedure as an example to obtain an online CA signed subject certificate that
the application can use.
About this task
In the following commands, the variable WORD<1-45> refers to the name of the certificate
authority and the variable WORD<1-80> refers to the certificate filename.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the subject:
certificate
certificate
certificate
certificate
certificate
certificate
certificate
subject
subject
subject
subject
subject
subject
subject
common-name scepsub
e-mail test@mocana.com
unit Engineering
organization "Mocana Corporation"
locality "San Francisco"
country US
province California
Note:
The values mentioned are for example only.
3. Generate the key pair:
certificate generate-keypair type rsa size 2048
December 2017
Configuring Security on VOSS
64
Security configuration using CLI
4. Configure the certificate authority (CA):
certificate ca
certificate ca
certificate ca
pkiclient.exe
certificate ca
ej common-name subca5
ej key-name rsa_2048
ej ca-url http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/
ej use-post true
Note:
The values mentioned are for example.
5. Copy and paste the Root CA certificate to: /intflash/.cert/.offlineRootCACert/.
6. Install the Root CA certificate:
certificate ca WORD<1-45> install-file root-ca-filename WORD<1-80>
7. Authenticate the CA:
certificate ca WORD<1-45> action caauth
8. Enroll the subject certificate by the CA:
certificate ca WORD<1-45> action enroll
9. Install the certificate:
certificate ca WORD<1-45> action install
10. (Optional) If the certificate expires, remove the enrolled subject certificate:
certificate ca WORD<1-45> action remove
The certificate is removed from /intflash/.cert and /
intflash/.cert/.installedCert/.
11. (Optional) To obtain the new certificate before the old certificate expires, enter the
following command to renew the certificate:
certificate ca WORD<1-45> action renew
The Certificate Authority generates a new certificate for the subject.
Installing an offline CA certificate
Use the following procedure as an example to install the offline CA certificate.
About this task
In the following commands, the variable WORD<1-80> refers to the certificate filename.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the subject:
certificate subject common-name scepsub
certificate subject e-mail test@mocana.com
certificate subject unit Engineering
December 2017
Configuring Security on VOSS
65
Security
certificate
certificate
certificate
certificate
subject
subject
subject
subject
organization "Mocana Corporation"
locality "San Francisco"
country US
province California
Note:
The values mentioned are for example only.
3. Generate the certificate signing request using the command:
certificate generate-csr
4. Use the generated CSR file to enroll the certificate on the server.
5. Copy and paste the enrolled certificate along with Root to: /
intflash/.cert/.offlineRootCACert/.
6. Install the Root CA certificate:
certificate install-file offline-root-ca-filename WORD<1-80>
Note:
If the subject certificate issuer is directly the Root, then Step 7 and 8 are optional. If the
subject is issued by Intermediate CA, then Step 7 and 8 are mandatory, also in the
certificate chain between Root and Subject, all the Intermediates must be installed
using these steps.
7. Copy and paste the Intermediate CA certificate to: /
intflash/.cert/.offlineCACert/.
8. Install the intermediate CA:
certificate install-file offline-ca-filename WORD<1-80>
9. Copy and paste the Offline subject certificate to: /intflash/.cert/.offlineCert/.
10. Install the offline subject filename:
certificate install-file offline-subject-filename WORD<1-80>
Security configuration using Enterprise Device Manager
Configure security information used on the control and data paths to protect the network from
uncontrolled access to network resources.
For more information about how to configure passwords and access policies, see Administering.
December 2017
Configuring Security on VOSS
66
Security configuration using Enterprise Device Manager
Enabling port lock
About this task
Use the port lock feature to administratively lock a port or ports to prevent other users from
changing port parameters or modifying port action. You cannot modify locked ports until you first
unlock the port.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click General.
3. Click the Port Lock tab.
4. To enable port lock, select the Enable check box.
5. Click Apply.
Port Lock field descriptions
Use the data in the following table to use the Port Lock tab.
Name
Description
Enable
Activates the port lock feature. Clear this check box to unlock
ports. The default is disabled.
LockedPorts
Lists the locked ports. Click the ellipsis (...) button to select the
ports you want to lock or unlock.
Locking a port
Before you begin
• You must enable port lock before you lock or unlock a port.
About this task
Use the port lock feature to administratively lock a port or ports to prevent other users from
changing port parameters or modifying port action. You cannot modify locked ports until you first
unlock the port.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click General.
3. Click the Port Lock tab.
4. In the LockedPorts box, click the ellipsis (...) button.
December 2017
Configuring Security on VOSS
67
Security
5. Click the desired port or ports.
6. Click Ok.
7. In the Port Lock tab, click Apply.
Port Lock field descriptions
Use the data in the following table to use the Port Lock tab.
Name
Description
Enable
Activates the port lock feature. Clear this check box to unlock
ports. The default is disabled.
LockedPorts
Lists the locked ports. Click the ellipsis (...) button to select the
ports you want to lock or unlock.
Changing passwords
About this task
Configure new passwords for each access level, or change the logon or password for the different
access levels of the system to prevent unauthorized access. After you receive the switch, use
default passwords to initially access CLI. If you use Simple Network Management Protocol version
3 (SNMPv3), you can change passwords in encrypted format.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click General.
3. Click the CLI tab.
4. Specify the username and password for the appropriate access level.
5. Click Apply.
CLI field descriptions
Use the data in the following table to use the CLI tab.
Name
Description
RWAUserName
Specifies the user name for the read-write-all CLI
account.
RWAPassword
Specifies the password for the read-write-all CLI
account.
RWEnable
Activates the read-write access level.
RWUserName
Specifies the user name for the read-write CLI
account.
Table continues…
December 2017
Configuring Security on VOSS
68
Security configuration using Enterprise Device Manager
Name
Description
RWPassword
Specifies the password for the read-write CLI
account.
RWL3Enable
Activates the read-write Layer 3 access level.
RWL3UserName
Specifies the user name for the Layer 3 read-write
CLI account.
RWL3Password
Specifies the password for the Layer 3 read-write
CLI account.
RWL2Enable
Activates the read-write Layer 2 access level.
RWL2UserName
Specifies the user name for the Layer 2 read-write
CLI account.
RWL2Password
Specifies the password for the Layer 2 read-write
CLI account.
RWL1Enable
Activates the read-write Layer 1 access level.
RWL1UserName
Specifies the user name for the Layer 1 read-write
CLI account.
RWL1Password
Specifies the password for the Layer 1 read-write
CLI account.
ROEnable
Activates the read/only CLI account level.
ROUserName
Specifies the user name for the read-only CLI
account.
ROPassword
Specifies the password for the read-only CLI
account.
MaxTelnetSessions
Indicates the maximum number of concurrent Telnet
sessions (0–8). The default is 8.
MaxRloginSessions
Indicates the maximum number of concurrent
Rlogin sessions (0–8). The default is 8.
Timeout
Indicates the number of seconds of inactivity for a
Telnet or Rlogin session before automatic timeout
and disconnect (30–65535 seconds). The default is
900.
NumAccessViolations
Indicates the number of CLI access violations
detected by the system. This field is a read-only
field.
CustomBannerText
Specifies the text message that is displayed to
users on the CLI before authentication. The
message can be company information, such as
company name and contact, or a warning message
for the users of CLI. With character limitation from
1-1800, the text box displays 79 characters per line.
CustomBannerEnable
Specifies whether custom logon banner is enabled
or disabled. The default is enabled.
December 2017
Configuring Security on VOSS
69
Security
Configuring directed broadcast on a VLAN
Configure directed broadcast on a VLAN to enable or disable directed broadcast traffic forwarding
for an IP interface.
Procedure
1. In the navigation pane, expand the Configuration > VLAN folders.
2. Click VLANs.
3. Select the Basic tab.
4. Select a VLAN.
5. Click IP.
6. Click the Direct Broadcast tab.
7. Select DirectBroadcastEnable.
Important:
Configure multiple VLANs or IPs in the same subnet but in different systems
simultaneously.
8. Click Apply.
Direct Broadcast field descriptions
Use the data in the following table to use the Direct Broadcast tab.
Name
Description
DirectBroadcastEnable
Specifies that an Isolated Routing Port (IRP) can
forward directed broadcast traffic. A directed
broadcast is a frame sent to the subnet broadcast
address on a remote IP subnet. By disabling or
suppressing directed broadcast on an interface, all
frames sent to the subnet broadcast address for a
local router interface are dropped. Disabling this
function protects a host from possible denial of
service (DoS) attacks.
With the feature enabled, the Control Processor
(CP) does not receive a copy of the directed
broadcast. As a result, the system does not respond
to a subnet broadcast ping sent from a remote
subnet.
The default is disabled.
December 2017
Configuring Security on VOSS
70
Security configuration using Enterprise Device Manager
Unicast Reverse Path Forwarding configuration using EDM
This section provides EDM procedures for Unicast Reverse Path Forwarding configuration.
Configuring reverse path checking on a port
Before you begin
• The system supports reverse path checking only on ports that have a valid IP address.
About this task
Configure reverse path checking on a port to determine if a packet IP address is verifiable. Use
reverse path checking to reduce the problems that are caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network. After you enable reverse path checking, the
switch performs a reverse path check to determine if the packet IP address is verifiable. If the
address is not verifiable, the system discards the packet.
Reverse path checking operates in one of two modes:
• exist-only mode
• strict mode
Procedure
1. In the Device Physical View tab, select a port.
2. In the navigation tree, open the following folders: Configuration > Edit > Port.
3. Click IP.
4. Click the Reverse Path Checking tab.
5. Select the Enable check box to enable reverse path checking.
6. Select exist-only or strict.
7. Click Apply.
Reverse Path Checking field descriptions
Use the data in the following table to use the Reverse Path Checking tab.
Name
Description
Enable
Enables reverse path checking on the selected port. The
default is disabled.
Mode
Specifies the mode for reverse path checking. The modes are
• exist-only—reverse path checking checks whether the
incoming packet source IP address exists in the routing
table. If reverse path checking finds the source IP entry, the
packet is forwarded; otherwise the packet is discarded.
• strict—reverse path checking checks whether the incoming
packet source IP address exists in routing table. If reverse
Table continues…
December 2017
Configuring Security on VOSS
71
Security
Name
Description
path checking does not find the source IP entry, the packet is
dropped; otherwise, reverse path checking further checks if
the source IP interface matches the incoming interface of the
packet. If they match, the packet is forwarded; otherwise the
packet is discarded.
The default is exist-only.
Configuring reverse path checking on an IPv6 port
Before you begin
• The system supports reverse path checking only on ports that have a valid IP address.
About this task
Configure reverse path checking on a port to determine if a packet IP address is verifiable. Use
reverse path checking to reduce the problems that are caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network. After you enable reverse path checking, the
switch performs a reverse path check to determine if the packet IP address is verifiable. If the
address is not verifiable, the system discards the packet.
Reverse path checking operates in one of two modes:
• exist-only mode
• strict mode
Procedure
1. In the Device Physical View tab, select a port.
2. In the navigation pane, expand the : Configuration > Edit > Port folders.
3. Click IPv6.
4. Click the Reverse Path Checking tab.
5. Select theReversePathCheckEnable check box to enable reverse path checking.
6. Select exist-only or strict.
7. Click Apply.
Reverse Path Checking field descriptions
Use the data in the following table to use the Reverse Path Checking tab.
Name
Description
ReversePathCheckEnable
Enables reverse path checking on the selected port. The
default is disabled.
ReversePathCheckMode
Specifies the mode for reverse path checking. The modes are
• exist-only—reverse path checking checks whether the
incoming packet source IP address exists in the routing
Table continues…
December 2017
Configuring Security on VOSS
72
Security configuration using Enterprise Device Manager
Name
Description
table. If reverse path checking finds the source IP entry, the
packet is forwarded; otherwise the packet is discarded.
• strict—reverse path checking checks whether the incoming
packet source IP address exists in routing table. If reverse
path checking does not find the source IP entry, the packet is
dropped; otherwise, reverse path checking further checks if
the source IP interface matches the incoming interface of the
packet. If they match, the packet is forwarded; otherwise the
packet is discarded.
The default is exist-only.
Configuring reverse path checking on a VLAN
Before you begin
• Before you can configure reverse path checking on a VLAN, you must assign a valid IP
address to the selected VLAN.
About this task
Configure reverse path checking on a VLAN to determine if a packet IP address is verifiable. Use
reverse path checking to reduce the problems that are caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network. After you enable reverse path checking, the
switch performs a reverse path check to determine if the packet IP address is verifiable. If the
address is not verifiable, the system discards the packet.
Reverse path checking operates in one of two modes:
• exist-only mode
• strict mode
Procedure
1. In the navigation tree, open the following folders: Configuration > VLAN.
2. Click VLANs.
3. Click the VLAN on which you want to configure reverse path checking.
4. In the toolbar, click IP.
5. Click the Reverse Path Checking tab.
6. Select the Enable box to enable reverse path checking.
7. Select exist-only or strict.
8. Click Apply.
Reverse Path Checking field descriptions
Use the data in the following table to use the Reverse Path Checking tab.
December 2017
Configuring Security on VOSS
73
Security
Name
Description
Enable
Enables reverse path checking on the selected VLAN.
Mode
Specifies the mode for reverse path checking. The modes are
• exist-only—reverse path checking checks whether the
incoming packet source IP address exists in the routing
table. If reverse path checking finds the source IP entry, the
packet is forwarded; otherwise, the packet is discarded.
• strict—reverse path checking checks whether the incoming
packet source IP address exists in routing table. If reverse
path checking does not find the source IP entry, then the
packet is dropped. Otherwise, reverse path checking further
checks if the source IP interface matches the incoming
interface of the packet. If they match, then the packet is
forwarded. Otherwise, the packet is discarded.
The default is exist-only.
Configuring reverse path checking on an IPv6 VLAN
Before you begin
• Before you can configure reverse path checking on a VLAN, you must assign a valid IP
address to the selected VLAN.
About this task
Configure reverse path checking on a VLAN to determine if a packet IP address is verifiable. Use
reverse path checking to reduce the problems that are caused by the introduction of malformed or
forged (spoofed) IP source addresses into a network. After you enable reverse path checking, the
switch performs a reverse path check to determine if the packet IP address is verifiable. If the
address is not verifiable, the system discards the packet.
Reverse path checking operates in one of two modes:
• exist-only mode
• strict mode
Procedure
1. In the navigation pane, expand the Configuration > VLAN folders.
2. Click VLANs.
3. Click the Basic tab.
4. Click the VLAN on which you want to configure reverse path checking.
5. Click IPv6.
6. Click the Reverse Path Checking tab.
7. Select the ReversePathCheckEnable box to enable reverse path checking.
8. Select exist-only or strict.
December 2017
Configuring Security on VOSS
74
Security configuration using Enterprise Device Manager
9. Click Apply.
Reverse Path Checking field descriptions
Use the data in the following table to use the Reverse Path Checking tab.
Name
Description
ReversePathCheckEnable
Enables reverse path checking on the selected VLAN.
ReversePathCheckMode
Specifies the mode for reverse path checking. The modes are
• exist-only—reverse path checking checks whether the
incoming packet source IP address exists in the routing
table. If reverse path checking finds the source IP entry, the
packet is forwarded; otherwise, the packet is discarded.
• strict—reverse path checking checks whether the incoming
packet source IP address exists in routing table. If reverse
path checking does not find the source IP entry, then the
packet is dropped. Otherwise, reverse path checking further
checks if the source IP interface matches the incoming
interface of the packet. If they match, then the packet is
forwarded. Otherwise, the packet is discarded.
The default is exist-only.
Viewing ASG global configuration
About this task
Use this procedure to display the ASG global configuration.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path > ASG
2. Click the Globals tab.
Field descriptions
Use the data in the following table to use the ASG > Globals tab.
Name
Description
EnableStatus
Specifies whether ASG is enabled or disabled. The value 1
indicates that ASG is enabled on the device.
AFID
Specifies the unique authentication file identification number.
Product
Specifies the device on which ASG is enabled.
DateAndTime
Specifies the date and time of configuration.
Release
Specifies the software release in which ASG is configured.
December 2017
Configuring Security on VOSS
75
Security
Viewing active ASG accounts
About this task
Use this procedure to display the accounts associated with ASG on the device.
Procedure
1. In the navigation tree, expand the following folders: Configuration > Security > Control
Path > ASG
2. Click the Accounts tab.
Field descriptions
Use the data in the following table to use the ASG > Accounts tab.
Name
Description
AccessLevel
Specifies the authentication access level for each account.
Username
Specifies the user name corresponding to each account.
Digital certificate configuration using EDM
The following section provides procedures to configure digital certificates using EDM.
Configuring device subject parameters
Use this procedure to configure the device subject parameters to identify the device. The
parameters include name, Email ID, company, department, and location of the subject.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click Certificate.
3. Click the Subject tab.
4. In the CommonName field, type the name of the subject.
5. Complete the remaining optional configuration to customize the policy.
6. Click Apply.
Subject field descriptions
Use the data in the following table to use the Subject tab.
December 2017
Configuring Security on VOSS
76
Security configuration using Enterprise Device Manager
Name
Description
CommonName
Specifies the name of the subject sending the
Certificate Signing Request to the Certificate
Authority.
EmailAddress
Specifies the Email address of the subject sending
the Certificate Signing Request to the Certificate
Authority.
OrganizationalUnit
Specifies the organizational unit of the subject
sending the Certificate Signing Request to the
Certificate Authority.
Organization
Specifies the organization of the subject sending
the Certificate Signing Request to the Certificate
Authority.
Locality
Specifies the locality of the subject sending the
Certificate Signing Request to the Certificate
Authority.
Province
Specifies the province of the subject sending the
Certificate Signing Request to the Certificate
Authority.
Country
Specifies the country of the subject sending the
Certificate Signing Request to the Certificate
Authority.
InstallFile
Installs the specific certificate file type obtained
offline from the Certificate Authority.
InstallFileName
Specifies the certificate file name to install.
UninstallFile
Uninstalls the specific certificate file type obtained
offline from the Certificate Authority.
UninstallFileName
Specifies the certificate file name to uninstall.
GenerateCsr
Generates the certificate signing request to obtain
the offline subject certificate.
Generating key pair
Use the following procedure to generate the private and public key pair for the specific
cryptography type.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click Certificate.
3. Click the Key-pair tab.
4. Click Insert.
5. In the Type field, select the cryptography type.
December 2017
Configuring Security on VOSS
77
Security
This software supports RSA only.
6. In the Size field, enter the size of the key.
7. Click Insert.
Certificate key-pair field description
Use the data in the following table to use the Certificate > Key-Pair tab.
Name
Description
Type
Specifies the cryptography algorithm used to
generate the key-pair.
Size
Specifies the size of the key-pair to be generated.
Name
Specifies the name of the key-pair generated for the
subject.
This name is auto-generated as the combination of
key-type and key-size.
Configuring certificate authority
Use this procedure to configure the certificate authority (CA) and perform related actions. You can
configure only one CA in a device at a time.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click Certificate.
3. Click the CA tab.
4. Click Insert.
5. In the Name field, type a user-defined name of the CA.
6. In the CommonName field, type the common name of the CA.
7. In the KeyName field, type the name of the associated key pair.
8. Complete the remaining optional configuration to customize the policy.
9. Click Insert.
10. (Optional) Click Retry Action if the trustpoint CA certificate authentication fails or takes
time for authentication. This can be done only when the selected Action is caauth.
CA field descriptions
Use the data in the following table to use the CA tab.
December 2017
Configuring Security on VOSS
78
Security configuration using Enterprise Device Manager
Name
Description
Name
Specifies the user-defined name referring to the
Certificate Authority issuing the Digital Certificate.
CommonName
Specifies the Common Name of the Certificate
Authority issuing the Digital Certificate.
KeyName
Specifies the name of the associated key pair.
CaUrl
Specifies the URL of the Certificate Authority
issuing the Digital Certificate.
Action
Specifies the action the Certificate Authority can
take:
• noop — no operation
• caauth — CA authentication
• enroll — certificate enrolment request
• renew — certificate renew request
• remove — remove the subject certificate obtained
online from the CA
• install — install the subject certificate obtained
online from the CA
ActionChallengePassword
Specifies the challenge password required to
perform the SCEP operation.
LastActionStatus
Specifies the status of the last action:
• none - No action is performed yet
• success - Execution of the action triggered is
completed successfully
• failed - Execution of the action triggered has failed
• inProgress - Execution of the action triggered is in
progress
LastActionFailureReason
Specifies the reason of failure for the last action
performed by the Certificate Authority.
InstallRootCaFileName
Specifies the certificate file obtained offline from the
Root Certificate Authority.
SubjectCertificateValidityDays
Specifies the number of days for which subject
certificate will remain valid.
The default value is 365 days.
UsePost
Specifies the HTTP request type: URL or POST.
TRUE for EJBCA and FALSE for Win2012 CA
December 2017
Configuring Security on VOSS
79
Security
Viewing the certificate details
Use this procedure to:
• display the configured key details for given key name.
• display the digital certificate for the given certificate index or list all the certificate details from
the local store if the certificate index is not specified.
• display the CA details for given trustpoint CA name or list all the CA details from the local
store if the CA name is not specified.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click Certificate.
3. Click the Certificate tab.
Certificate field descriptions
Use the data in the following table to use the Certificate tab.
Name
Description
Type
Specifies the certificate type.
VersionNumber
Specifies the version number of the certificate for
the subject as issued by the Certificate Authority.
SerialNumber
Specifies the serial number of the certificate for the
subject as issued by the Certificate Authority.
IssuerName
Specifies the name of the issuer of the certificate for
the subject as issued by the Certificate Authority.
ValidStartPeriod
Specifies the start date of the validation period of
the certificate for the subject as issued by the
Certificate Authority.
ValidEndPeriod
Specifies the last date of the validation period of the
certificate for the subject as issued by the
Certificate Authority.
CertificateSignatureAlgorithm
Specifies the algorithm used for the signature of the
issuer on the certificate for the subject as issued by
the Certificate Authority.
CertificateSignature
Specifies the signature of the issuer on the
certificate for the subject as issued by the
Certificate Authority.
Subject
Specifies the details of the subject on its certificate
as issued by Certificate Authority.
Table continues…
December 2017
Configuring Security on VOSS
80
Security configuration using Enterprise Device Manager
Name
Description
SubjectPublicKeyAlgorithm
Specifies the algorithm used to generate the public
key of the subject for the certificate issued by the
Certificate Authority.
SubjectPublicKey
Specifies the public key of the subject used for the
Certificate Signing Request.
HasBasicConstraint
Specifies whether the certificate contains any basic
certificate constraint or not.
HasKeyUsage
Specifies whether the certificate contains basic key
usage constraint or not.
IsCa
Specifies whether the certificate is a ca certificate or
not.
KeyUsage
Specifies the purpose of the key used in the
certificate. It is represented in the form of bits as
follows:
• bit 0 - digitalSignature
• bit 1 - nonRepudiation
• bit 2 - keyEncipherment
• bit 3 - dataEncipherment
• bit 4 - keyAgreement
• bit 5 - keyCertSign
• bit 6 - cRLSign
• bit 7 - encipherOnly
• bit 8 - decipherOnly
Status
Specifies the status of the certificate.
Installed
Specifies whether the certificate is installed or not.
CdpUrl
Specifies the CDP URL present in the Digital
Certificate Extensions field.
OcspUrl
Specifies the OCSP URL present in the Digital
Certificate AIA field.
ExtendedKeyUsage
Indicates the purpose for which the key is used in
addition to or in place of the basic purposes
indicated in the key-usage field of the certificate.
Installing Root CA certificate
Use the following procedure to install the Root CA certificate obtained offline.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Edit > Diagnostics.
2. Click System Log.
December 2017
Configuring Security on VOSS
81
Security
3. Click Root Certificate Table tab.
4. Click Insert.
5. In the Filename field, enter the filename obtained offline from the CA.
6. In the Action field, select the action.
7. Click Insert.
Root Certificate Table field description
Use the data in the following table to use the System Log > Root Certificate Table tab.
Name
Description
Filename
Specifies the certificate filename obtained offline
from the Root Certificate Authority.
Action
Specifies the action to be performed on Root CA.
• noaction: No action is performed.
• install: Installs the Root CA certificate obtained
offline.
• uninstall: Uninstalls the Root CA certificate.
Conversion Fail appears if the execution of the
action fails.
Viewing Certificate Store
Use the following procedure to view the online, offline and root certificates in the local store.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click Certificate.
3. Click the Certificate Store tab.
Certificate Store field descriptions
Use the data in the following table to use the Certificate Store tab.
Name
Description
CommonName
Specifies the Common Name of the Certificate
Authority issuing the Digital Certificate.
Type
Specifies the certificate type.
VersionNumber
Specifies the version number of the certificate for
the subject as issued by the Certificate Authority.
SerialNumber
Specifies the serial number of the certificate for the
subject as issued by the Certificate Authority.
Table continues…
December 2017
Configuring Security on VOSS
82
Security configuration using Enterprise Device Manager
Name
Description
IssuerName
Specifies the name of the issuer of the certificate for
the subject as issued by the Certificate Authority.
ValidStartPeriod
Specifies the start date of the validation period of
the certificate for the subject as issued by the
Certificate Authority.
ValidEndPeriod
Specifies the last date of the validation period of the
certificate for the subject as issued by the
Certificate Authority.
CertificateSignatureAlgorithm
Specifies the algorithm used for the signature of the
issuer on the certificate for the subject as issued by
the Certificate Authority.
CertificateSignature
Specifies the signature of the issuer on the
certificate for the subject as issued by the
Certificate Authority.
Subject
Specifies the details of the subject on its certificate
as issued by Certificate Authority.
SubjectPublicKeyAlgorithm
Specifies the algorithm used to generate the
subject's public key for the certificate issued by the
Certificate Authority.
SubjectPublicKey
Specifies the public key of the subject used for
Certificate Signing Request.
HasBasicConstraint
Specifies whether certificate contains basic
certificate constraint.
HasKeyUsage
Specifies whether certificate contains basic key
usage constraint.
IsCa
Specifies if the certificate is a CA certificate or not.
KeyUsage
Specifies the purpose of the key used in the
certificate. It is represented in the form of bits as
follows:
• bit 0 - digitalSignature
• bit 1 - nonRepudiation
• bit 2 - keyEncipherment
• bit 3 - dataEncipherment
• bit 4 - keyAgreement
• bit 5 - keyCertSign
• bit 6 - cRLSign
• bit 7 - encipherOnly
• bit 8 - decipherOnly
Status
Specifies the status of the certificate.
Table continues…
December 2017
Configuring Security on VOSS
83
Security
Name
Description
Installed
Specifies whether the certificate is installed or not.
CdpUrl
Specifies the CDP URL present in the Digital
Certificate Extensions field.
OscpUrl
Specifies the OCSP URL present in the Digital
Certificate AIA field.
ExtendedKeyUsage
Indicates the purpose for which the key is used in
addition to or in place of the basic purposes
indicated in the key-usage field of the certificate.
CaFileName
Specifies the certificate file obtained offline from the
Root Certificate Authority.
December 2017
Configuring Security on VOSS
84
Chapter 4: Layer 2 security
Layer 2 security for IPv4 and IPv6 deployments
This chapter describes Layer 2 security concerns and the security features you can use to mitigate
them.
Security features for IPv4 deployments:
• DHCP Snooping
• Dynamic ARP Inspection
• IP Source Guard for IPv4 addresses
Security features for IPv6 deployments:
• First Hop Security (FHS)
• DHCP Snooping and IPv6 Neighbor Discovery Inspection
• IP Source Guard for IPv6 addresses
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in the network.
Without DAI, a malicious user can attack hosts, switches, and routers connected to the Layer 2
network by poisoning the ARP caches of systems connected to the subnet, and intercepting traffic
intended for other hosts on the subnet. DAI prevents these attacks by intercepting, logging, and
discarding the ARP packets with invalid IP to MAC address bindings.
The switch dynamically builds the address binding table from the information gathered from the
DHCP requests and replies when DHCP Snooping is enabled. The switch pairs the MAC address
from the DHCP request with the IP address from the DHCP reply to create an entry in the DHCP
binding table. For more information, see Creating DHCP binding table entries on page 164.
When you enable DAI, the switch filters ARP packets on untrusted ports based on the source
MAC and IP addresses seen on the switch port. The switch forwards an ARP packet when the
source MAC and IP address matches an entry in the address binding table. Otherwise, the switch
drops the ARP packet.
Note:
• For DAI to function, you must enable DHCP Snooping globally.
December 2017
Configuring Security on VOSS
85
Layer 2 security
• Configure DAI on a VLAN to VLAN basis.
DAI cannot be enabled on:
• Private VLANs (Etree)
• SPBM B-VLANs
• MLT port members
First Hop Security
First Hop Security (FHS) improves local network security by employing a number of mitigation
techniques. This section describes the base set functionality which provides protection from a
wide host of rogue or mis-configured users, and this can be extended with additional features for
different deployment scenarios. For example, see the following topology.
Sample topology
In the following topology, Layer 2 switch SW-1 is connected to another Layer 2 switch SW-2. SW-2
is connected to three hosts and SW-1 is connected to two hosts.
In this network, if FHS is enabled only on SW-1, then it can only save the nodes which are directly
connected to it. To protect the good node connected to SW-2, the FHS must be enabled on SW-2.
Figure 1: First Hop Security topology
December 2017
Configuring Security on VOSS
86
Layer 2 security for IPv4 and IPv6 deployments
First Hop Security contains the majority of the RIPE 554 mandatory requirements for Layer 2
switches. This includes the following:
• DHCPv6 Guard or DHCPv6 filtering
• RA Guard or Router Advertisement filtering
DHCPv6 security concerns
The enhancements in IPv6 provide better security in certain areas, but some of these areas are
still open to exploitation by attackers. This section identifies the IPv6 FHS concerns associated
with Dynamic Host Configuration Protocol version 6 (DHCPv6).
DHCPv6 (RFC 3315) describes how a host can acquire an IPv6 address and other configuration
options from a server that is available on its local link. DHCPv6 is described as a stateful protocol.
In other words, DHCPv6 can operate in a stateless fashion where it provides configuration
information to nodes and does not perform address assignments (RFC 3736). In addition, it can
operate in a stateful manner, where it assigns IPv6 addresses and configuration information to
hosts that request it.
As in IPv4 DHCP, DHCPv6 is susceptible to rogue server attacks. In other words, if DHCPv6 is
used to provide IPv6 addresses to the hosts, an attacker that managed to insert a rogue DHCPv6
server in the link can potentially assign addresses and configuration options to the link hosts. In
turn, the attacker can deploy man-in-the-middle, traffic interception, or blackhole traffic, similar to
those in the stateless address autoconfiguration scenario. Therefore, it is important to use DHCP
protections for both IPv4 and IPv6.
DHCPv6 Guard
DHCPv6 Guard is a type of security for IPv6 deployments in an enterprise environment, it provides
Layer 2 security to DHCPv6 clients by protecting them against rogue DHCPv6 servers. The basic
concept of DHCPv6 Guard is that a Layer 2 device filters DHCPv6 messages meant to DHCPv6
clients, based on a number of different criteria. The basic filtering criterion is, the DHCPv6 server
generated packets which are received on non-server ports or from an untrusted server will be
dropped by the Layer 2 device.
Various levels of granularity are provided. Following are the policies that are supported:
• Port based filtering using device role (server or client)
• Server or relay agent IPv6 address based filtering
• Advertising IPv6 prefix based filtering
• DHCPv6 packet filtering based on Server Preference checks
The following are DHCPv6 topology samples:
December 2017
Configuring Security on VOSS
87
Layer 2 security
Figure 2: DHCPv6 Topology 1
Figure 3: DHCPv6 Topology 2
DHCPv6 Guard policies configuration
You can configure DHCPv6 Guard policies using CLI, SNMP and EDM. The following policies are
supported for DHCPv6 Guard.
Port-based filtering using device-role
Port-based filtering using device-role is an interface-level configuration. Only a DHCPv6 server or
relay agent can send a DHCPv6 advertisement or reply. By configuring the device-role attached to
the port (whether it is a client or server), the rogue server generating DHCPv6 advertisement or
reply packets can be blocked if these packets are received on a port configured as a client.
Device-role can be applied only on port, and not on MLT, SMLT, or VLAN. If you configure devicerole on an MLT, SMLT, or VLAN, you must configure same device-role on all the MLT, SMLT, or
VLAN member ports.
December 2017
Configuring Security on VOSS
88
Layer 2 security for IPv4 and IPv6 deployments
In DHCPv6 Guard Topology 1, only DHCPv6 server packets (that is, advertisement, reply)
received on a port configured as a Server port accept the packets and process them for security
validation and forwarding. The Client port drops the packets if it receives packets generated from
a DHCPv6 rogue server.
Server or relay agent IPv6 address based filtering
Server or relay agent IPv6 address-based filtering enables the verification of the advertised
DHCPv6 server and relay address in messages with the configured authorized server access list.
In DHCPv6 Guard Topology 1 and Topology 2, you can configure the access list to accept
DHCPv6 server packets from a specific Source IPv6 address such as a DHCPv6 server or
DHCPv6 relay IPv6 address.
Advertising IPv6 prefix-based filtering
Advertising IPv6 prefix-based filtering enables verification of the advertised prefixes in DHCPv6
reply messages with the configured authorized prefix list.
Server preference-based filtering
Server preference-based filtering enables verification by checking if the advertised preference (in
preference option) is greater than or less than the specified limit.
RA Guard
IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network
through ICMPv6 router discovery messages. When the host is connected to the network for the
first time, it sends a link-local router solicitation multicast request for its configuration parameters.
If the host is configured correctly, routers respond to the request with a Router Advertisement (RA)
packet. The RA packet contains network-layer configuration parameters.
In addition to filtering RAs, RA Guard introduces the concept of router authorization proxy. Instead
of each node on the link analyzing RAs and making an individual decision, a legitimate node-inthe-middle performs the analysis on behalf of all other nodes on the link.
Stateless and statefull RA Guard functions are available. The switch supports only the stateless
RA Guard function.
Stateless RA Guard examines incoming RAs and decides whether to forward or block them based
on the information found in the message or in the Layer 2 device configuration. The following list
identifies the typical information available in the received frames that are used for RA validation:
• Port on which the frame is received
• Source IPv6 address
• Prefix list which RA carries
• Link-Layer address of the sender
After the Layer 2 device successfully validates the RA packet content against the configuration,
the RA is forwarded to its destination, whether unicast or multicast. If the validation fails, the RA is
dropped at the Layer 2 device.
December 2017
Configuring Security on VOSS
89
Layer 2 security
RA Guard policies description
This section describes the RA Guard policies. The following policies are supported for RA Guard:
• Port-based filtering using device role (host or router)
• Source IPv6 based filtering
• Advertised IPv6 prefix-based filtering
• Source MAC address-based filtering
• RA packet for managed address configuration flag validation
• RA packet for hop count limit validation
• RA packet for Router Preference validation
Port-based filtering using device-role
This configuration is an interface-level configuration. According to Neighbor Discovery (ND) RFC
4861, only the IPv6 router can generate the RA packets. By configuring the device-role attached
to the port whether it is a host or router, the rogue host which is generating RA packets can be
blocked. Device-role can be applied only on a port, and not on an MLT, SMLT, or VLAN. If you
configure device-role on an MLT, SMLT, or VLAN, you must configure the same device-role on all
the MLT, SMLT, or VLAN member ports.
In the following topology, the switch is connected to a Layer 3 router and three hosts. Because the
router is directly connected to port 1/2, the device-role of the port 1/2 is configured in Router
mode. The other hosts are connected to ports 1/3, 1/4, and 1/5, and the device-role of ports 1/3,
1/4, and 1/5 are configured in Host Mode.
The host connected to the port 1/4 is a rogue host and if it is trying to send RA packets, then the
switch drops those RA packets received on the interface 1/4 as the device-role of this port is Host
Mode.
December 2017
Configuring Security on VOSS
90
Layer 2 security for IPv4 and IPv6 deployments
Figure 4: RA Guard Topology1
IPv6 source address based filtering
An IPv6 source address based filtering policy enables the source IPv6 address verification of the
RA packets against the configured RA source IPv6 list.
The following figure shows the RA packet format. RA Guard policy verifies the IPv6 source
address (SrcIP) in the IPv6 Header against the configured RA source IPv6 list.
Figure 5: IPv6 ICMP RA data packet online
Advertised IPv6 prefix-based filtering
Advertised IPv6 prefix-based filtering enables verification of the advertised prefixes in inspected
messages against the configured RA prefix list.
The following figure illustrates the IPv6 ICMP RA data packet outline. This RA Guard policy
verifies the RA (Prefix Information) in ICMPv6 data against the configured RA prefix list.
December 2017
Configuring Security on VOSS
91
Layer 2 security
Figure 6: IPv6 ICMP RA data packet outline
Source MAC address-based filtering
Source MAC address-based filtering enables the source MAC address of the RA packets
verification against the configured authorized MAC list.
The following figure illustrates the IPv6 Ethernet packet. This RA Guard policy verifies the
received RA packets source MAC address against the configured authorized MAC access list.
Figure 7: IPv6 Ethernet packet
RA packet for managed address configuration flag validation
In the RA packets, there is an “M” flag (managed address configuration flag) that can be
configured to indicate that the address assignments are available through DHCPv6. This means
that DHCPv6 takes care of the interface address assignment in that LAN segment. If a filtering
policy is enabled, then all the RA packets without an “M” flag are dropped. By default, this
validation is not performed.
The following figure illustrates IPv6 ICMP RA data packet outline for managed address
configuration.
Figure 8: IPv6 ICMP RA data packet outline
RA packet for hop count limit validation
RA packet for hop count limit validation policy verifies the advertised RA message if the hop count
limit is within the configured hop count limit. If the received hop count limit is not within the
configured limit, then those RA packets are dropped.
The following figure illustrates IPv6 ICMP RA data packet outline for hop count limit validation.
December 2017
Configuring Security on VOSS
92
Layer 2 security for IPv4 and IPv6 deployments
Figure 9: IPv6 ICMP RA data packet outline
RA packet for router preference validation
The RA packet contains the Router Preference as part of the flags field. This can be high,
medium, or low. This filtering policy option verifies if the advertised default router preference
parameter value is lower than or equal to a specified limit.
The following figure illustrates IPv6 ICMP RA data packet outline for router preference validation.
Figure 10: IPv6 ICMP RA data packet outline for router preference validation
Capturing and verifying FHS specific packets against the configured
policies
First Hop Security filters can be installed only if FHS is enabled globally. The DHCPv6 Guard or
RA Guard filters are created as a part of First Hop Security filter with port bit mask “0”.
The following list identifies the high-level tasks to capture DHCPv6 packets received on a physical
port:
1. Enable FHS globally.
2. Enable DHCPv6 Guard or RA Guard globally.
3. Create a DHCPv6 Guard or an RA Guard policy.
4. Configure RA Guard or DHCPv6 Guard device role on the port.
5. Attach DHCPv6 Guard and/or RA Guard policy to a physical port if needed.
On configuring RA Guard or DHCPv6 Guard device role on the port, the appropriate port bitmask
for that port will be updated in the data path filter.
The RA or DHCPv6 sever initiated packets received on trusted ports (router or server ports) will be
sent to the local CPU for further validations. If these packets pass the RA Guard and DHCPv6
Guard validation, they will be forwarded towards the intended host or DHCPv6 client; if not, they
will be dropped by the switch.
December 2017
Configuring Security on VOSS
93
Layer 2 security
FHS limitations
The following limitations exist in First Hop Security:
• Fragmented RA and DHCPv6 server initiated packets are dropped on the FHS enabled
switch.
• DHCPv6 Guard and RA Guard do not work on devices connected on shared media or on
tunneled interfaces.
• DHCPv6 Guard or RA Guard policies are not VLAN or MLT based.
• FHS is not supported on the Out Of Band (OOB) port on the switch.
• Packets received on FHS ports with more than one extension header, and if they are
destined to link-local unicast or link-scope multicast address, are dropped as they cannot be
classified as RA or DHCPv6 reply packets.
• The FHS functionality can be bypassed at the first hop switch, if the malicious packets are
destined to global address, and have more than one extension header.
• If the FHS rules and IPv6 filters match for a packet, the IPv6 filter has precedence.
• In a Layer 2 VSN, packets are not filtered based on FHS rules. Enable FHS on the required
UNI ports to protect the connected devices from FHS attacks.
Guidelines for FHS configuration
Some of the FHS configurations need details on how they work and how they should be used.
Following are the details:
1. FHS IPv6 Access lists are generic access/prefix lists which can be applied on IPv6 source
address or the prefixes advertised in RA or DHCPv6 messages. If you filter on the basis of
a particular IPv6 source address, you must configure the access list entry with complete
source address with prefix-length value of 128. If you allow a group of source addresses
within a prefix range, you must configure the IPv6 ACL entry with an appropriate prefix
length and attach this IPv6 ACL to the appropriate match parameters in RA Guard or
DHCPv6 Guard policies.
If you filter a particular prefix, you must configure an IPv6 access list entry with appropriate
prefix and prefix-lengths. To filter based on prefix, prefix-lengths should be less than 128.
Following is an example of IPv6 access list entry:
ipv6 fhs ipv6-access-list match_src_allow
fe80:0:0:0:0:ff:fe00:113/128 mode allow
Note:
a. If no IPv6 ACL is attached to an RA Guard or DHCPv6 Guard policy as a source
ACL, then IPv6 source address in the incoming RA packets or packets from
DHCP server will not be validated, and such packets will not be dropped due to
source address validations.
b. If no IPv6 ACL is attached to an RA Guard or DHCPv6 Guard policy as a prefix
ACL, then prefix information in incoming RA packets or packets from DHCP
December 2017
Configuring Security on VOSS
94
Layer 2 security for IPv4 and IPv6 deployments
server will not be validated and these packets will not be dropped due to prefix
validations.
c. The FHS access or prefix lists are different from IPv6 prefix lists. For FHS, the
switch maintains a separate list (cannot reuse IPv6 prefix lists) as IPv6 prefix lists
do not have any action associated with them, whereas FHS has an action
associated with each ACL entry.
2. When an IPv6 ACL is attached to an RA Guard or DHCPv6 Guard policy and the address
or prefix in the incoming RA Guard or DHCPv6 server packets received on port to which
this RA Guard or DHCPv6 Guard policy is attached does not match any of the entries in
that IPv6 ACL, the packet will be dropped by default. If you want to change this behavior to
default (allow, for IPv6 ACLs), you can add an entry that matches all the packets and set
the action as allow. To do this, use the following command:
ipv6 fhs ipv6-access-list no_match_src_def_allow 0:0:0:0:0:0:0:0/0
mode allow
3. IPv6 ACL entries with conflicting prefixes within an IPv6 ACLs are not allowed, and such
configuration will fail with appropriate error message. Conflicting entries can be present in
two or more different IPv6 ACLs.
4. The entries within an IPv6 ACL will be sorted in increasing order of IPv6 prefixes. If there
are two entries with same prefix address within an ACL, then such entries will be ordered
with increasing value of their prefix-lengths.
5. MAC ACL entries are ordered in the increasing order of MAC addresses within a MAC
ACL. If none of the entries in the MAC ACL match the source MAC address of RA packet,
then the packet will be dropped by default. If no MAC ACL is attached to an RA Guard
policy, then the source MAC address of RA packets is not validated.
6. When matching for a prefix using IPv6 ACL entry, if you advertise a prefix with matching
prefix but prefix-length lesser than configured prefix-length, then the packet has to be
considered as no match and prefix matching process has to continue with remaining IPv6
ACL entries in that ACL.
The rationale behind this functionality is to avoid wrong configuration of access side
devices. This functionality safeguards the devices in an access network if a wrongly
configured IPv6 prefix is advertised or a malicious user is sending invalid (wrong) prefixes.
For example, consider the following scenario:
Configure the prefix in ACL entry (without ge and le values): ipv6 fhs ipv6-accesslist ipv6_acl_entry_1 2000:0123:4567:89ab::/64 mode allow
Advertise the prefix in RA packet: 2001:0123:4567:89ab::/48
This advertised prefix matches the configured IPv6 ACL entry and without this prefix-length
check functionality, the packet is allowed to pass through. But, actually it is configuring all
access devices in that network with wrong IPv6 configurations in different IPv6 network
(2001:0123:4567::/48)
December 2017
Configuring Security on VOSS
95
Layer 2 security
With prefix-length check functionality (explained above), this configuration is not allowed as
advertised prefix length is not equal to configured prefix length. So, the wrong
configurations of access devices is avoided.
7. Importance of “ge” and “le” parameters in an IPv6 ACL entry:
A user can optionally configure “ge” (greater than or equal to) and “le” (lesser than or equal
to) parameters while configuring an IPv6 ACL entry. If the prefix advertised in a packet
matches the configured prefix in an IPv6 ACL entry, and “ge” and “le” values are configured
(not default) for that IPv6 ACL entry:
• The packet will be allowed to go through only if the prefix-length in the packet is within
the range of configured “ge” and “le” values.
• If prefix lengths in the packet are not within the configured range of “ge” and “le” values
(non-default values), then the packets would be considered as no match for that IPv6
ACL entry and search for matching IPv6 ACL entry continues within that IPv6 ACL.
• If no ge and le values are configured, those values by default are set to configured prefix
length in that IPv6 ACL entry.
• ge and le values are allowed only if they are greater than configured prefix.
• When both are configured (not default values), ge value should always be smaller than
le value.
These configurations provide more control over the advertised prefixes in RA or DHCPv6
packets.
8. As “ge” and “le” values are valid only for advertised prefixes, they will not be applied to
IPv6 addresses, which are not prefixes. For such addresses, prefix match is considered as
match for that IPv6 ACL entry and the corresponding action of that ACL entry is applied on
that packet. “ge” and “le” configurations are irrelevant for the following:
• IPv6 source address in RA packet
• IPv6 source address in packets from DHCPv6 server (like DHCPv6 advertise, DHCPv6
reply)
• IPv6 address (temporary or non-temporary) advertised in packets from DHCPv6 server.
For example, IPv6 addresses advertised in IANA option of DHCPv6 reply packets
9. Order of packet validations:
In RA or DHCPv6 packets received at the CP for FHS processing, the following order of
processing is carried out:
a. Packet parsing
b. Checking for presence of IPv6 fragment header
c. Checking if packets are RA packets or DHCPv6 packets from server (Advertise,
Reply, Reconfigure, Relay-Reply)
d. Basic validations:
• Non-Link-Local source IPv6 address (only for RA packets)
December 2017
Configuring Security on VOSS
96
Layer 2 security for IPv4 and IPv6 deployments
• L4 length validations
• Checksum validations
e. If an RA Guard or DHCPv6 Guard policy is attached to a port:
• MAC ACL validations (if configured) (Only for RA packets)
• IPv6 source address ACL validation (if configured)
• IPv6 prefix ACL validations (if configured)
• Other packet parameter validations like:
- Managed config flag (RA)
- ICMP hop limit (RA)
- Router preference (RA)
- Server preference (DHCPv6)
If any of these validations fail or if action associated with a match ACL entry indicates
to DROP (or default drop if ACL is attached to corresponding policy but packet does
not match any ACL entry in that ACL), then the packets are dropped and
corresponding statistics are updated. If all these pass or actions related to all matched
ACL entries are PERMIT, then the packet is allowed to go through.
10. Longest prefix match: If a packet matches multiple entries in an ACL, then the action
associated with an entry with longest prefix match would be applied on the packet.
11. If a port is configured as untrusted (“host” as device role for RA Guard or “client” as device
role for DHCPv6 Guard), all the FHS trusted traffic (RA packets for RA Guard or packets
from DHCPv6 server for DHCPv6 Guard) are dropped in data path itself. Also for such
drops, statistics are not incremented.
If a port is neither configured as trusted nor untrusted, then the FHS traffic (RA packets or
DHCPv6 packets from DHCPv6 server) is switched as if FHS is not present.
12. Creation of FHS port policy mappings:
Until, and unless, any of the FHS parameters are configured on a port, port policy
mappings are not created and thus with no port to policy mapping configured, no entries
appear while listing port policy mappings using the command show ipv6 fhs portpolicy.
13. If a RA Guard or DHCPv6 Guard policy is attached to any of the ports, deletion of such
policy is not allowed. In the contrary, to delete an RA Guard or DHCPv6 Guard policy,
those policies need to be detached from all the ports in the switch. However, modification
of an RA Guard or DHCPv6 Guard policy is allowed even if it is attached to ports.
14. If a MAC or IPv6 ACL is attached to an RA Guard or DHCPv6 Guard policy, you cannot
delete the ACL itself. You can delete the entries from this policy even if it is attached to any
policy. At least one entry needs to exist in a MAC or IPv6 ACL; you cannot delete the last
entry in that ACL if that ACL is attached to any RA Guard or DHCPv6 Guard policy. You
must detach that ACL from all the policies to delete that ACL. However, you can update the
entries in that ACL even if it is attached to a policy.
December 2017
Configuring Security on VOSS
97
Layer 2 security
If a port is configured as trusted (“Server” port for DHCPv6 Guard and “Router” port for RA
Guard), then only one can attach a DHCPv6 Guard or RA Guard policy to that port. In the
contrary, if any policy is attached to a port, the port role cannot be changed from trusted
(“Server” port for DHCPv6 Guard and “Router” port for RA Guard) to other role (“Client”
port for DHCPv6 Guard, “Host” port for RA Guard or “None” for both) until that policy is not
detached from port.
DHCP Snooping and Neighbor Discovery inspection
DHCP Snooping
DHCP Snooping is a Layer 2 security feature, that provides network security by filtering untrusted
DHCP messages received from the external network causing traffic attacks within the network.
DHCP Snooping is based on the concept of trusted versus untrusted switch ports. Switch ports
configured as trusted can forward DHCP Replies, and the untrusted switch ports cannot. DHCP
Snooping acts like a firewall between untrusted hosts and DHCP servers.
Note:
The switch supports:
• DHCP Snooping for both IPv4 and IPv6.
• Neighbor Discovery (ND) inspection for IPv6.
Security is critically important in an access network because various devices can connect to an
access network that may not be administratively controlled by a single administrator. Stateless
Address Autoconfiguration (SLAAC) and Duplicate Address Detection (DAD) mechanisms used by
IPv6 are more vulnerable to attacks from a malicious user. If any person, intentionally or
unintentionally, configures an IP address on the device interface wrongly and advertises that IP
address as one’s own address during DAD mechanism initiated by other device, DAD initiated
devices cannot assign this address. If a malicious user replies to all the DAD IP addresses as own
address, none of the devices in the access network can assign any IP addresses to their
interfaces. Thus, DoS attacks can be easily carried out by the malicious user making the entire
network unfunctional. In another kind of attack, a malicious user can try to poison the neighbor
cache of a host by sending ND packets with bogus MAC address which is learnt by other hosts
into their neighbor table. Due to the infiltration of the bogus MAC address in the host’s neighbor
table, the packets destined to its neighbor is sent to the bogus MAC address and is eventually
dropped or received by an unintended host.
In general, these kinds of attacks are carried out by sending different Neighbor Discovery (ND)
packets – either through solicited ND packet exchanges or as a result of unsolicited ND packet
exchanges triggered due to an event like the expiry of ND timers. These packets carry interface IP
address information and link-layer address information. Other devices use this information to build
their neighbor table for forwarding traffic to or through the malicious device. As part of ND
inspection mechanism, ND (specifically, NS, NA, and redirect) packets from only trusted hosts are
allowed to pass through and the packets from un-trusted hosts are dropped in the switch itself.
Other network devices can safely use ND mechanisms for correctly assigning IP address to their
interfaces resulting in a smooth traffic flow.
December 2017
Configuring Security on VOSS
98
Layer 2 security for IPv4 and IPv6 deployments
For validating the ND packets, the switch must first learn the trusted information by various
mechanisms and store the information in a DHCP binding table. If the switch receives ND packets
on an untrusted port, the packets are validated against entries in the DHCP binding table. If the
ND packets pass the validation, the packets are forwarded. If the packets fail the validation, they
are dropped in the switch itself. This process avoids invalid NA packets from propagating beyond
the access switch.
DHCP Snooping and ND inspection feature protects the network from the following types of
attacks:
• User misconfigurations: Host assigns an address which should not be used by the recipient
device. ND inspection blocks this address in the access switch because binding entry does
not exist for that address for that host.
• DAD spoofing: Malicious user claims that the address is taken even if it is not.
• NUD spoofing: Malicious host responds to NUD NS packets indicating that the address is
still reachable via that host even if that neighbor is actually not reachable.
• ND cache poisoning: Malicious user sends different (invalid) link-layer addresses for a
target IP address causing other hosts in the network to program bogus MAC for a given IP
neighbor, as a result of which, the traffic gets black-holed or misused by malicious host.
DHCP binding table
DHCP Snooping builds and maintains a binding table, this binding table contains the MAC
address, IP address, lease time, binding type, VLAN number, and port information that correspond
to the local untrusted ports of the switch. When the switch receives a DHCPRELEASE or
DHCPDECLINE broadcast message, DHCP Snooping performs a lookup of the MAC address in
the binding table to determine if the port information in the binding table matches the port on which
the message was received. If the port information matches, the DHCP packet is forwarded,
otherwise it is dropped.
Trust bindings
A switch enabled with the Neighbor Discovery inspection feature allows NA packets through, if the
packets are from a trusted host. To allow or deny Neighbor Advertisement (NA) packets, trust
bindings must be established using following methods:
• Configuring the port connected to a device (or host) as trusted.
• Building a DHCP binding table which contains entries from trusted devices (or hosts) only.
This DHCP binding table is used for validating NA packets.
This method of trust binding involves 2 processes:
IP address learning (snooping) process
In this process an IP address is learnt through a trusted means and a DHCP binding table is
built. The switch supports the DHCP binding table entry learning by:
- Statically configuring the entries
- Dynamically learning by DHCP Snooping packets
NA packet validation (inspection) process
This process uses the DHCP binding table entries which are populated as part of IP address
learning process to validate the incoming NA packets.
December 2017
Configuring Security on VOSS
99
Layer 2 security
Once the DHCP binding tables are built, the information gathered using trust binding is used to
validate the ND packets. If the ND packets cannot be validated using this information, they are
considered as packets received from an un-trusted host and are dropped by the switch.
Restrictions
In addition to the FHS restrictions, DHCP Snooping and ND inspection have the following
restrictions:
• Link-local address validation is not supported under ND inspection. Thus, an FHS enabled
switch is vulnerable to attackers who try to attack with link-local addresses.
• As a 5-second timer is used to cleanup expired DHCP binding table entries, the expired
DHCP binding table entries may remain in the DHCP binding table for up to 5 seconds after
they expire.
• If a FHS-enabled switch gets rebooted, all the dynamically-learned binding entries get
flushed and those entries need to be re-learned for ND inspection to pass. However, when
the switch is rebooted, DHCP clients connected to it do not re-initiate DHCP learning, due to
which, the switch cannot learn these assigned IP addresses. As a result, ND inspection fails
for these addresses. To overcome this problem either DHCP client must learn the IP address
again through DHCP mechanisms or the administrator must add static entries for these
addresses.
• For IPv6, DHCP binding table entries learned through DHCP are not removed from the
DHCP table on DHCP clients that release these addresses. The administrator must manually
remove these entries once the addresses are released.
• A dynamic DHCP binding table entry is learned only using the DHCP mechanism. For other
modes of address configuration on the host, a relevant DHCP binding table entry must be
configured on the FHS switch so that ND packets from such host are not blocked due to ND
inspection processing.
• DHCP Snooping is not supported on:
- DHCP Relay
- Etree
- Extensible Authentication Protocol over LAN (EAPoL)
- Private VLANs
- Split Multi-Link Trunking (SMLT)
IP Source Guard
IP Source Guard (IPSG) is a Layer 2 port-to-port feature that works closely with DHCP Snooping.
It prevents IP spoofing by allowing only IP addresses obtained using DHCP Snooping.When you
enable IPSG on an untrusted port with DHCP Snooping enabled, an IP filter is automatically
created or deleted for that port based on the information stored in the corresponding DHCP
Snooping binding table entry. When a connecting client receives a valid IP address from the
DHCP server, the filter installed on the port allows traffic only from that assigned IP address.
You can configure IPSG on a port using the command line interface (CLI), the Enterprise Device
Manager (EDM), or SNMP.
December 2017
Configuring Security on VOSS
100
Layer 2 security for IPv4 and IPv6 deployments
Note:
The switch supports configuration of IP Source Guard for both IPv4 and IPv6 addresses.
The following table shows you how IPSG works with DHCP Snooping.
Table 5: IP Source Guard and DHCP snooping
IP Source Guard
configuration state
DHCP snooping
configuration state
DHCP snooping
Binding Entry action
(untrusted ports)
IP Source Guard action
change from disabled to
enabled
enabled
creates a binding entry
creates a filter for the IP
address using the IP
address from the binding
table entry
enabled
enabled
creates a binding entry
creates a filter for the IP
address using the IP
address from the binding
table entry
enabled
enabled
deletes a binding entry
deletes the IP filter and
installs a default filter to
block all IP traffic on the
port
enabled
enabled
deletes binding entries
when one of the
following conditions
occur:
deletes the
corresponding IP filter
and installs a default
filter to block all IP traffic
• a DHCP release
packet is received
• the port link is down
• the lease time has
expired
• the port is removed
from the VLAN
• the VLAN is deleted
• the port is set as
trusted
• the binding entries are
manually deleted
change from enabled to
disabled
enabled
not applicable
deletes the installed IP
filter for the port
disabled
enabled
creates a binding entry
not applicable
disabled
enabled
deletes a binding entry
not applicable
December 2017
Configuring Security on VOSS
101
Layer 2 security
IPSG limitations
• You can enable IP Source Guard (IPSG) only on a port that is DHCP Snooping and Dynamic
ARP Inspection untrusted.
• The port must be a member of a VLAN. DHCP Snooping must be enabled globally and on
the VLAN. You must also enable Dynamic ARP Inspection on the same VLAN.
• You cannot enable IPSG on MLT, SMLT, DMLT or LAG ports.
• You cannot enable IPSG on a brouter port.
• You cannot enable IPSG on ports that are members of a private VLAN.
• You cannot remove a port that is IPSG enabled from a VLAN. Similarly, you cannot delete a
VLAN that has at least one port that is IPSG enabled.
• A maximum of 10 IP addresses are allowed on each IPSG enabled port. Correspondingly, a
maximum of 10 IP filters are automatically created for each of those ports. When this number
is reached, no more filters are set up and all traffic is dropped.
• On the switch, the total number of IP filters must not exceed 256. This limit includes both IP
filters that are automatically created on IPSG ports and the manually created ACLs.
Layer 2 security configuration using the CLI
Use the following sections to help you configure Layer 2 security features and protect the network
by mitigating various types of attacks, using the Command Line Interface (CLI).
For IPv4 deployments, configure:
• DHCP Snooping
• Dynamic ARP Inspection
• IP Source Guard for IPv4 addresses
For IPv6 deployments, configure:
• First Hop Security (FHS)
Note:
FHS does not solve all cases of denial of services like blocking flooding of the IPv6
messages.
• DHCP Snooping and IPv6 Neighbor Discovery Inspection
• IP Source Guard for IPv6 addresses
DHCP Snooping configuration using CLI
The following section provides procedures to configure DHCP Snooping using the CLI.
December 2017
Configuring Security on VOSS
102
Layer 2 security configuration using the CLI
Enabling or disabling DHCP Snooping globally
Use the following procedure to enable DHCP Snooping globally. If DHCP Snooping is globally
disabled, the switch forwards DHCP reply packets to all required ports, both trusted or untrusted.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable DHCP Snooping globally:
ip dhcp-snooping enable
3. Disable DHCP Snooping globally:
no ip dhcp-snooping enable
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ip dhcp-snooping enable
Variable definitions
Use the data in the following table to use the ip dhcp-snooping command.
Variable
Value
enable
Enables or disables DHCP Snooping globally. By
default, DHCP Snooping is disabled.
Enabling or disabling DHCP Snooping on a VLAN
Use the following procedure to configure DHCP Snooping on a specific VLAN. If DHCP Snooping
is globally disabled, the switch forwards DHCP reply packets (received on trusted or untrusted
ports) to all ports.
If you enable DHCP Snooping globally, the agent determines whether to forward DHCP reply
packets based on the DHCP Snooping mode of the VLAN and trusted state of the port.
Note:
You cannot enable DHCP Snooping on Private VLANs (E-Tree) and SPBM B-VLANs.
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
December 2017
Configuring Security on VOSS
103
Layer 2 security
interface vlan <1–4059>
2. Enable DHCP Snooping on the VLAN:
ip dhcp-snooping enable
3. Disable DHCP Snooping on the VLAN:
no ip dhcp-snooping enable
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 5
Switch:1(config-if)#ip dhcp-snooping enable
Variable definitions
Use the data in the following table to use the ip dhcp-snooping command.
Variable
Value
enable
Enables or disables DHCP Snooping on the
specified VLAN.
Configuring trusted and untrusted ports
Use the following procedure to set the trust factor associated with a port for DHCP Snooping. By
default, the trust factor is set to untrusted.
Note:
For ports that are members of an MLT, DHCP Snooping must be configured using the MLT
configuration mode.
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. Enter Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]} or interface mlt <1-512>
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Set the trust factor for the port:
ip dhcp—snooping <trusted|untrusted>
December 2017
Configuring Security on VOSS
104
Layer 2 security configuration using the CLI
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#ip dhcp-snooping trusted
Variable definitions
Use the data in the following table to use the ip dhcp-snooping command.
Variable
Value
<trusted|untrusted>
Specifies the trust factor of the port for DHCP
Snooping.
Displaying DHCP Snooping global configuration
Use the following procedure to display the global status of DHCP Snooping configuration.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display the global configuration:
show ip dhcp-snooping
Example
Switch:1>show ip dhcp-snooping
================================================================================
Dhcp Snooping General Info
================================================================================
Dhcp Snooping
: Enabled
--------------------------------------------------------------------------------
Displaying DHCP Snooping interface information
Use the following procedure to view the DHCP Snooping interface information.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display DHCP Snooping brouter port information:
show ip dhcp-snooping interface [ gigabitEthernet [ {slot/port[/
sub-port] [-slot/port[/sub-port]] [,...]} [ vrf WORD<1-16> | vrfids
WORD<0-512> ] | <1-4059> [ {slot/port[/sub-port] [-slot/port[/subport]] [,...]} [ vrf WORD<1-16> | vrfids WORD<0-512> ] | vrf
WORD<1-16> | vrfids WORD<0-512> ] | vrf WORD<1-16> | vrfids
WORD<0-512> ] ]
3. Display DHCP Snooping VLAN information:
show ip dhcp-snooping vlan <1-4059>
4. Display DHCP Snooping information for specific VRF name:
December 2017
Configuring Security on VOSS
105
Layer 2 security
show ip dhcp-snooping vrf WORD<1-16>
5. Display DHCP Snooping information for specific VRF ID:
show ip dhcp-snooping vrfids WORD<0-512>
Example
Switch:1>show ip dhcp-snooping interface gigabitEthernet
===============================================================================
Dhcp Snooping Interface Info
===============================================================================
PORT
PORT
TRUNK
NUM
CLASS
ID
------------------------------------------------------------------------------1/1
UNTRUSTED
none
1/2
UNTRUSTED
none
2/1
UNTRUSTED
none
2/2
UNTRUSTED
none
2/3
UNTRUSTED
none
2/4
UNTRUSTED
none
2/5
UNTRUSTED
none
2/6
UNTRUSTED
none
2/7
UNTRUSTED
none
2/8
UNTRUSTED
none
2/9
UNTRUSTED
none
2/10
UNTRUSTED
none
2/11
UNTRUSTED
none
2/12
UNTRUSTED
none
2/13
UNTRUSTED
none
2/14
UNTRUSTED
none
------------------------------------------------------------------------------All 16 out of 16 Total Num of Dhcp Snooping entries displayed
Switch:1>show ip dhcp-snooping vlan
===============================================================================
Dhcp Snooping Vlan Info
===============================================================================
VLAN
VRF
ID
NAME
ENABLE
------------------------------------------------------------------------------1
GlobalRouter
false
10
GlobalRouter
false
4051
GlobalRouter
false
4052
GlobalRouter
false
------------------------------------------------------------------------------All 4 out of 4 Total Num of Dhcp Snooping entries displayed
Switch:1>show ip dhcp-snooping binding vrfids 0
=======================================================================================================
DHCP Snooping Binding Table
=======================================================================================================
MAC
IP
PORT
VLAN
VRF
LEASE
EXPIRY
ENTRY
ADDRESS
ADDRESS
NUM
ID
NAME
TIME
TIME
TYPE
------------------------------------------------------------------------------------------------------36:63:0e:73:03:fe
192.0.2.8
2/10/2 200
GlobalRouter
86400
83700
Learned
36:63:0e:73:03:ff
192.0.2.9
2/10/2 200
GlobalRouter
86400
83700
Learned
Static entries : 0
Learned entries : 2
Total entries
: 2
------------------------------------------------------------------------------------------------------All 2 out of 2 Total DHCP Snooping binding entries displayed
Switch:1>show ip dhcp-snooping binding vrf vrf100
=======================================================================================================
December 2017
Configuring Security on VOSS
106
Layer 2 security configuration using the CLI
DHCP Snooping Binding Table
=======================================================================================================
MAC
IP
PORT
VLAN
VRF
LEASE
EXPIRY
ENTRY
ADDRESS
ADDRESS
NUM
ID
NAME
TIME
TIME
TYPE
------------------------------------------------------------------------------------------------------00:00:00:00:01:01
192.0.2.11
2/30
100
vrf100
Infinite
none
Static
Static entries : 1
Learned entries : 0
Total entries
: 1
------------------------------------------------------------------------------------------------------All 1 out of 3 Total DHCP Snooping binding entries displayed
Adding static entries to DHCP Snooping binding table
Use the following procedure to add devices with a specified MAC address to the DHCP Snooping
binding table.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Add the static entry to the DHCP Snooping binding table:
ip dhcp-snooping binding <1-4059> 0x00:0x00:0x00:0x00:0x00:0x00 ip
{A.B.C.D} port {slot/port[sub-port]} [expiry <0-2147483646>]
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)# ip dhcp-snooping binding 1 00-14-22-01-23-45 ip 10.10.10.01 port 1/2
expiry 2
Variable definitions
Use the data in the following table to use the ip dhcp-snooping binding command.
Variable
Value
<1-4059>
Specifies the VLAN ID.
0x00:0x00:0x00:0x00:0x00:0x00
Specifies the MAC address of the DHCP client.
ip {A.B.C.D}
Specifies the IP address of the DHCP client.
port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
Specifies the switch port to which the DHCP client
connects.
expiry <0-2147483646>
Specifies the expiry time (in seconds) for the DHCP
client.
Clearing entries from DHCP Snooping binding table
Use the following procedure to clear entries (static or dynamic) from the DHCP Snooping binding
table.
Procedure
1. Enter Privileged EXEC mode:
December 2017
Configuring Security on VOSS
107
Layer 2 security
enable
2. Enter:
clear ip dhcp-snooping binding [dynamic|static]
Example
Switch:1>enable
Switch:1#clear ip dhcp-snooping binding static
Variable definitions
Use the data in the following table to use the clear ip dhcp-snooping binding command.
Variable
Value
static
Clears static entries from the DHCP Snooping
binding table.
dynamic
Clears dynamic entries from the DHCP Snooping
binding table.
Displaying DHCP Snooping binding table information
Use the following procedure to display the DHCP Snooping binding table, you can filter the entries
displayed based on the type, port, or VLAN.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display all binding entries:
show ip dhcp-snooping binding
3. Display binding entries based on the MAC address or IP address:
show ip dhcp-snooping binding address
[0x00:0x00:0x00:0x00:0x00:0x00|{A.B.C.D}]
4. Display binding entries configured on the ports:
show ip dhcp-snooping binding interface [gigabitEthernet{slot/
port[/sub-port] [-slot/port[/sub-port]] [,...]}]
5. Display binding entries configured on the VLANs:
show ip dhcp-snooping binding vlan <1-4059>
6. Display binding entries configured on a specific VRF:
show ip dhcp-snooping binding vrf WORD<1-16>
7. Display binding entries configured on a specific VRF ID:
show ip dhcp-snooping binding vrfids WORD<0-512>
8. Display a summary of the DHCP Snooping binding table:
December 2017
Configuring Security on VOSS
108
Layer 2 security configuration using the CLI
show ip dhcp-snooping binding summary [<1-4059>] [vrf WORD<1-16>]
[vrfids WORD<0-512>] [{slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}]
9. Display binding entries based on the type of entry:
show ip dhcp-snooping binding type [dynamic|static]
Example
Switch:1>show ip dhcp-snooping binding
=======================================================================================================
==
DHCP Snooping Binding Table
=======================================================================================================
==
MAC
IP
PORT
VLAN
VRF
LEASE
EXPIRY
ENTRY
ADDRESS
ADDRESS
NUM
ID
NAME
TIME
TIME
TYPE
-------------------------------------------------------------------------------------------------------23-74-44-33-15-33
192.0.2.40
225
1
13446
0
0
Static
ab-22-44-23-22-11
192.0.2.56
213
34
52341
0
0
Static
bb-22-44-33-af-ab
192.0.2.134
197
234
34345
0
0
Static
bb-22-44-af-af-ab
192.0.2.88
197
999
52342
0
0
Static
fe-92-44-33-22-33
192.0.2.13
211
333
52343
0
0
Static
fe-ab-44-33-22-33
192.0.2.45
197
74
52343
0
0
Static
-------------------------------------------------------------------------------------------------------Static entries : 6
Learned entries : 0
Total entries
: 6
--------------------------------------------------------------------------------------------------------
Dynamic ARP Inspection configuration using CLI
The following section provides procedures to configure Dynamic ARP Inspection (DAI) using CLI.
Enabling or disabling Dynamic ARP Inspection on a VLAN
You must enable DAI separately for each VLAN. When you enable DAI on a specific VLAN, the
ARP packets are captured and inspected on that VLAN. DAI is disabled by default.
Note:
DAI cannot be enabled on Private VLANs (E-Tree) and SPBM B-VLANs.
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
2. Enable DAI on the VLAN:
December 2017
Configuring Security on VOSS
109
Layer 2 security
ip arp-inspection enable
3. Disable DAI on the VLAN:
no ip arp-inspection enable
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 5
Switch:1(config-if)#ip arp-inspection enable
Variable definitions
Use the data in the following table to use the ip arp-inspection command.
Variable
Value
enable
Enables or disables DAI on the specified VLAN.
Configuring trusted and untrusted ports
Use the following procedure to set the trust factor associated with a port for DAI. By default, the
trust factor is set to untrusted.
Note:
For ports that are part of an MLT, DAI must be configured using the MLT configuration mode.
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. Enter Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]} or interface mlt <1-512>
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Set the trust factor for the port:
ip arp-inspection <trusted|untrusted>
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/2
Switch:1(config-if)#ip arp-inspection trusted
December 2017
Configuring Security on VOSS
110
Layer 2 security configuration using the CLI
Variable definitions
Use the data in the following table to use the ip arp-inspection command.
Variable
Value
<trusted|untrusted>
Specifies the trust factor of the port for DAI.
Displaying Dynamic ARP Inspection interface information
Use the following procedure to view the DAI interface information.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display DAI brouter port information:
show ip arp-inspection interface [ gigabitEthernet [ {slot/port[/
sub-port] [-slot/port[/sub-port]] [,...]} [ vrf WORD<1-16> | vrfids
WORD<0-512> ] | <1-4059> [ {slot/port[/sub-port] [-slot/port[/subport]] [,...]} [ vrf WORD<1-16> | vrfids WORD<0-512> ] | vrf
WORD<1-16> | vrfids WORD<0-512> ] | vrf WORD<1-16> | vrfids
WORD<0-512> ] ]
3. Display DAI VLAN information:
show ip arp-inspection vlan <1-4059>
4. Display DAI information for specific VRF name:
show ip arp-inspection vrf WORD<1-16>
5. Display DAI information for specific VRF ID:
show ip arp-inspection vrfids WORD<0-512>
Example
Switch:1>show ip arp-inspection interface gigabitEthernet 1/2
=========================================================================
Arp Inspection Port Info
=========================================================================
PORT
PORT
TRUNK
NUM
CLASS
ID
------------------------------------------------------------------------1/2
UNTRUSTED
none
------------------------------------------------------------------------All 1 out of 1 Total Num of Arp Inspection entries displayed
Switch:1>show ip arp-inspection vlan
=========================================================================
Arp Inspection Vlan Info
=========================================================================
VLAN
VRF
ID
NAME
ENABLE
------------------------------------------------------------------------1
GlobalRouter
false
2
GlobalRouter
false
December 2017
Configuring Security on VOSS
111
Layer 2 security
20
GlobalRouter
false
55
GlobalRouter
true
------------------------------------------------------------------------All 4 out of 4 Total Num of Arp Inspection entries displayed
Switch:1>show ip arp-inspection vrfids 5
=========================================================================
Arp Inspection Vlan Info
=========================================================================
VLAN
VRF
ID
NAME
ENABLE
------------------------------------------------------------------------10
tt
true
------------------------------------------------------------------------Switch:1>show ip arp-inspection vrf TT
=========================================================================
Arp Inspection Vlan Info
=========================================================================
VLAN
VRF
ID
NAME
ENABLE
------------------------------------------------------------------------10
tt
true
-------------------------------------------------------------------------
FHS configuration
Configure IPv6 FHS features to enable IPv6 link security and management over the Layer 2 links.
Enabling or disabling FHS globally
About this task
You must enable First Hop Security globally for RA Guard or DHCPv6 Guard to be operational.
Enabling FHS globally installs the required filters for FHS. Disabling FHS, uninstalls these filters.
By default, FHS is disabled.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable First Hop Security globally:
ipv6 fhs enable
3. Disable First Hop Security globally:
no ipv6 fhs enable
OR
December 2017
Configuring Security on VOSS
112
Layer 2 security configuration using the CLI
default ipv6 fhs enable
Managing the FHS IPv6 access list
About this task
You can create an FHS IPv6 access list or add IPv6 prefixes to an existing IPv6 access list.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an FHS IPv6 access list or add IPv6 prefixes to an existing IPv6 access list:
ipv6 fhs ipv6–access-list [WORD<1-64>] [WORD<0-46>] [ge<0-128>] [le
<0-128>] [mode <allow | deny>]
3. Delete an FHS IPv6 access list or delete a particular IPv6 prefix from the IPv6 access list:
no ipv6 fhs ipv6–access-list [WORD<1-64>] [WORD<0-46>]
4. Set the ge/le values and mode of the FHS IPv6 access list to default value:
default ipv6 fhs ipv6–access-list [WORD<1-64>] [WORD<0-46>] [ge|le|
mode]
Example
Switch>enable
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#ipv6 fhs ipv6–access-list ipv6_acl_1 fe80::221:2fff:fe31:5376/64
Switch(config)#
Variable definitions
Use the data in the following table to use the ipv6 fhs ipv6-access-list command.
Variable
Description
WORD<1-64>
Specifies the IPv6 access list name.
WORD<0-46>
Specifies the IPv6 address or the prefix length to be added to the IPv6
access list.
ge <0 -128>
Specifies the minimum value of prefix length advertised in prefix
information of RA or DHCPv6 packets.
By default, the value is equal to the configured prefix length.
Note:
If you manually configure the value, ensure that it is greater than the
configured prefix length. Also ensure, the ge value is always less
than the le value.
Table continues…
December 2017
Configuring Security on VOSS
113
Layer 2 security
Variable
Description
le <0 -128>
Specifies the maximum value of prefix length advertised in prefix
information of RA or DHCPv6 packets.
By default, the value is equal to the configured prefix length.
Note:
If you manually configure the value, ensure that it is greater than the
configured prefix length.
mode <allow | deny>
Specifies the access mode.
By default, the value is allow.
Displaying FHS IPv6 access list information
About this task
Displays the current FHS IPv6 access list information.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the current FHS IPv6 access list information:
show ipv6 fhs ipv6-access-list [WORD<1–64>]
Example
Switch:1# show ipv6 fhs ipv6-access-list
================================================================================
IPv6 FHS Access List Table Info
================================================================================
MASK-RANGE
ACC-LIST-NAME
IPV6-PREFIX
MASK FROM TO
MODE
-------------------------------------------------------------------------------v6_acl1
1:0:0:0:0:0:0:1
64
64
64
Allow
v6_acl2
1:0:0:0:0:0:0:1
64
64
64
Allow
-------------------------------------------------------------------------------All 2 out of 2 Total Num of ipv6 access list entries displayed
Job aid
The following table shows the field descriptions for the show ipv6 fhs ipv6-access-list
command.
Field
Description
Access list name
Indicates the IPv6 access list name.
ipv6_prefix
Indicates the IPv6 prefix added to the IPv6 access
list.
Table continues…
December 2017
Configuring Security on VOSS
114
Layer 2 security configuration using the CLI
Field
Description
mask_len
Indicates prefix mask length added to the IPv6
access list.
mask_range_from
Indicates the IPv6 range start mask length.
mask_range_to
Indicates the IPv6 range end mask length.
mode
Indicates the access mode.
Managing the FHS MAC access list
About this task
You can create an FHS MAC access list or add MAC addresses to an existing MAC access list.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an FHS MAC access list or add MAC addresses to an existing MAC access list:
ipv6 fhs mac–access-list WORD<1-64> <0x00:0x00:0x00:0x00:0x00:0x00>
[mode <allow | deny>]
3. Delete an FHS MAC access list or delete a particular MAC address from the MAC access
list:
no ipv6 fhs mac–access-list WORD<1-64>
<0x00:0x00:0x00:0x00:0x00:0x00>
4. Set the MAC ACL mode to its default value:
default ipv6 fhs mac–access-list WORD<1-64>
<0x00:0x00:0x00:0x00:0x00:0x00> [mode]
Variable definitions
Use the data in the following table to use the ipv6 fhs mac–access-list command.
Variable
Description
WORD<1–64>
Specifies the MAC access list name.
<
0x00:0x00:0x00:0x00:0x00:0x
00>
Specifies the MAC address to be added or deleted.
mode <allow | deny>
Specifies the access mode.
By default, the value is Allow
December 2017
Configuring Security on VOSS
115
Layer 2 security
Displaying FHS MAC access list information
About this task
Displays the current FHS MAC access list information.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the current FHS MAC access list information:
show ipv6 fhs mac–access-list [WORD<1–64>]
Example
Switch#show ipv6 fhs mac-access-list
===============================================================
IPv6 FHS Mac Access List Table Info
===============================================================
ACC-LIST-NAME
MAC-ADDRESS
ACL-MODE
--------------------------------------------------------------List2
10:20:30:40:50:60
Allow
00:11:22:33:44:55
Deny
--------------------------------------------------------------All 1 out of 1 Total Num of MAC access list entries displayed
---------------------------------------------------------------
Job aid
The following table shows the field descriptions for the show ipv6 fhs mac–access-list
command.
Field
Description
ACC-LIST-NAME
Indicates the MAC access list name.
MAC-ADDRESS
Indicates the MAC address.
ACL-MODE
Indicates the ACL mode.
Displaying current FHS configuration
About this task
Displays the current FHS configuration.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the current FHS configuration:
show ipv6 fhs port-policy {slot/port[/sub-port][-slot/port[/subport]][,...]}
December 2017
Configuring Security on VOSS
116
Layer 2 security configuration using the CLI
Example
Switch:1#show ipv6 fhs port-policy
================================================================================
IPv6 FHS Port Policy Info
================================================================================
PORT DHCPG-DEVICE-ROLE DHCPG-POLICY
RAG-DEVICE-ROLE RAG-POLICY
-------------------------------------------------------------------------------1/1
Server
dhcp_pol1
Router
ra_pol1
-------------------------------------------------------------------------------All 1 out of 1 Total Num of fhs port policy entries displayed
Job aid
The following table shows the field descriptions for the show ipv6 fhs port-policy
command.
Field
Description
PORT
Indicates the port number.
DHCPV6G-POLICY
Indicates the DHCPv6 policy name.
RA-POLICY
Indicates the RA Guard policy name.
DHCPv6 Guard policy configuration
DHCPv6 Guard policy blocks DHCPv6 reply and advertisement messages that originate from
unauthorized DHCPv6 servers and relay agents that forward DHCPv6 packets from servers to
clients.
Enabling or disabling DHCPv6 Guard globally
About this task
Enabling DHCPv6 Guard globally installs filters on the configured interfaces. By default, DHCPv6
Guard is disabled.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable FHS globally:
ipv6 fhs enable
3. Enable DHCPv6 Guard globally:
ipv6 dhcp-guard enable
4. Disable DHCPv6 Guard globally:
no ipv6 dhcp-guard enable
December 2017
Configuring Security on VOSS
117
Layer 2 security
5. Set DHCPv6 Guard to its default value:
default ipv6 dhcp-guard enable
Managing the DHCPv6 Guard policy
About this task
Configure or modify the DHCPv6 Guard policy.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a DHCPv6 Guard policy:
ipv6 dhcp-guard policy WORD<1-64>
3. Delete a DHCPv6 Guard policy:
no ipv6 dhcp-guard policy WORD<1-64>
Note:
You cannot delete a policy that is already attached to a port.
Variable definitions
Use the data in the following table to use the ipv6 dhcp-guard policy command.
Variable
Description
WORD<1–64>
Specifies the created or deleted DHCPv6 Guard policy name.
Attaching a DHCPv6 Guard policy to a port
About this task
Applies a DHCPv6 Guard policy to a specific interface.
Procedure
1. Enter Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]} or interface vlan <1–4059>
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
December 2017
Configuring Security on VOSS
118
Layer 2 security configuration using the CLI
2. Apply a DHCPv6 Guard policy.
ipv6 fhs dhcp-guard attach-policy WORD<1–64>
3. Detach a DHCPv6 Guard policy from an interface.
no ipv6 fhs dhcp-guard attach-policy
OR
default ipv6 dhcp-guard attach-policy
4. Enable device role verification attached to the port. By default, router is selected.
ipv6 fhs dhcp-guard device-role {client|server} attach-policy
WORD<1-64>
Note:
A DHCPv6 Guard policy can be attached to a port only if the device-role configured on
that port is 'server'.
Variable definitions
Use the data in the following table to use the ipv6 fhs dhcp-guard attach-policy and
ipv6 fhs dhcp-guard device-role command.
Variable
Description
WORD<1–64>
Specify the name of the DHCPv6 Guard policy to be attached or
detached.
{client | server}
Sets the DHCPv6 Guard device role as client or server.
Configuring DHCPv6 Guard in dhcp-guard mode
About this task
Configures DHCPv6 Guard under dhcp-guard mode.
Procedure
1. Enter DHCPv6 Guard Configuration mode.
enable
configure terminal
ipv6 fhs dhcp-guard policy WORD<1-64>
2. Specify IPv6 access list to verify IPv6 source address of DHCPv6 packets..
match server access-list <ipv6-access-list-name>
3. Remove DHCPv6 Guard filtering for the sender’s IPv6 addresses.
no match server access-list
OR
December 2017
Configuring Security on VOSS
119
Layer 2 security
default match server access-list
4. Specify IPv6 prefix list to verify advertised prefixes.
match reply prefix-list <ipv6–prefix-list-name>
5. Remove DHCPv6 Guard filtering for advertised prefixes.
no match reply prefix-list
OR
default match reply prefix-list
6. Specify the minimum limit for verification of the advertised preference.
preference min-limit <0–255>
7. Set the minimum limit for verification of the advertised preference to its default value.
default preference min-limit
8. Specify the maximum limit for verification of the advertised preference.
preference max-limit <0–255>
9. Set the maximum limit for verification of the advertised preference to its default value.
default preference max-limit
Variable definitions
Use the data in the following table to use the dhcp-guard configuration mode commands.
Variable
Description
match server access-list
<ipv6–access-list-name>
Enables verification of the sender’s IPv6 address in inspected messages
from the configured authorized device source access list specified.
Note:
If the access-list is not attached, the IPv6 source address in
DHCPv6 packet is not validated.
If the list is attached and it does not match any entries in IPv6
access list, the switch drops the DHCPv6 packet. If you wish to
change this behavior, add an entry with IPv6 prefix“0::0/0” with the
Allow option, which changes the default drop to default Allow.
{ no | default } match server
access-list
Removes the sender’s IPv6 address based DHCPv6 Guard filtering.
match reply prefix-list <ipv6–
prefix-list-name>
Enables verification of the advertised prefixes in DHCPv6 reply messages
from the configured authorized prefix list. If prefix-list is not configured,
this check is bypassed.
Note:
If the access-list is not attached, the inspection does not occur.
Table continues…
December 2017
Configuring Security on VOSS
120
Layer 2 security configuration using the CLI
Variable
Description
If the list is attached and advertised IPv6 address does not match
any IPv6 prefixes in the list, the switch drops the DHCPv6 packet. If
you wish to change this behavior, add an IPv6 access list entry with
prefix 0::0/0 with the Allow option, which changes the default drop to
default Allow.
{ no | default } match reply
prefix-list
Removes the advertised prefix-based DHCPv6 Guard filtering.
preference min-limit<0–255>
Enables validation of advertised preference (in preference option) to
check if it is greater than the specified limit. If preference is not specified,
this field in the packet is not validated.
While changing the preference limit, ensure the maximum limit is greater
than the minimum limit.
default preference min-limit
Sets the specified limit to its default value.
By default, the value is 0.
preference max-limit<0–255>
Enables validation of advertised preference (in preference option) to
check if it is less than the specified limit. If preference is not specified, this
field in the packet is not validated.
Note:
The preference value in the packet is not validated if both minimum
and maximum values are zero.
default preference max-limit
Sets the specified limit to its default value.
By default, the value is 0.
Displaying DHCPv6 Guard policy
About this task
Displays DHCPv6 Guard policy information for all the configured DHCPv6 Guard policies or a
particular policy.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display DHCPv6 Guard policy information:
show ipv6 fhs dhcp-guard policy WORD<1–64>
Example
Switch:1# show ipv6 fhs dhcp-guard policy
========================================================================================
==========
IPv6 DHCP Guard Policy Info
========================================================================================
==========
POLICY-NAME
SERVER-ACC-LIST
REPLY-PREF-LIST
MIN-RTR-PREF MAX-RTR-PREF
-------------------------------------------------------------------------------------------------
December 2017
Configuring Security on VOSS
121
Layer 2 security
dhcp_pol1
v6_acl1
v6_acl2
0
0
------------------------------------------------------------------------------------------------All 1 out of 1 Total Num of dhcp-guard stats entries displayed
Variable definitions
Use the data in the following table to use the show ipv6 dhcp-guard policy command.
Variable
Description
WORD<1–64>
Displays DHCPv6 Guard policy information for all
the configured DHCPv6 Guard policies.
Policy name is an optional parameter. If policy
name is provided, only the DHCPv6 Guard policy of
the specified policy-name is displayed.
Job aid
The following table shows the field descriptions for the show ipv6 dhcp-guard policy
command.
Field
Description
POLICY-NAME
Indicates the DHCPv6 Guard policy name.
SERVER-ACC-LIST
Indicates if the received DHCPv6 server packet
source IPv6 addresss matches the configured IPv6
access list.
REPLY-PREF-LIST
Indicates if the advertised prefix in received
DHCPv6 server packet matches the configured
IPv6 access list.
MIN-RTR-PREF
Indicates the advertised router preference minimum
limit.
MAX-RTR-PREF
Indicates the advertised router preference
maximum limit.
RA Guard configuration
IPv6 RA Guard provides support to the administrator to block or reject unwanted RA Guard
messages that arrive at the network switch platform. The routers use Router Advertisements
(RAs) to announce themselves on the link. The RA Guard feature analyzes these RAs and filters
out bogus RAs sent by unauthorized routers. The RA Guard feature compares configuration
information on the Layer 2 device with the information found in the received RA frame. After the
Layer 2 device validates the content of the RA packet against the configuration, it forwards the RA
to its destination. If the RA packet validation fails, the RA is dropped.
December 2017
Configuring Security on VOSS
122
Layer 2 security configuration using the CLI
Enabling or disabling RA Guardd globally
About this task
Enables RA Guard globally. By default, RA Guard is disabled.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable FHS globally:
ipv6 fhs enable
3. Enable RA Guard globally:
ipv6 fhs ra-guard enable
4. Disable RA Guard globally:
no ipv6 fhs ra-guard enable
5. Set the RA Guard to its default value:
default ipv6 fhs ra-guard enable
Managing the RA Guard policy
About this task
Configure or modify RA Guard policy. This command also enables the RA Guard configuration
mode.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create the RA Guard policy:
ipv6 fhs ra-guard policy WORD<1-64>
3. Delete the RA Guard policy:
no ipv6 fhs ra-guard policy WORD<1-64>
Note:
You cannot delete a policy that is attached to a port.
Variable definitions
Use the data in the following table to use the ipv6 fhs ra-guard policy command.
December 2017
Configuring Security on VOSS
123
Layer 2 security
Variable
Description
WORD<1–64>
Specifies the name of the RA Guard policy to be
created or deleted.
This is a mandatory parameter in this command.
Configuring RA Guard on an interface
About this task
Attaches or detaches a RA Guard policy on the specific interface.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Apply a RA Guard policy.
ipv6 fhs ra-guard attach-policy WORD<1–64>
Note:
RA Guard device-role on the port has to be configured as 'router' before attaching any
RA Guard policy to the port. If device-role on the port is not 'router', this command will
fail with an appropriate error message.
3. Detach a RA Guard policy from an interface.
no ipv6 fhs ra-guard attach-policy
OR
default ipv6 fhs ra-guard attach-policy
4. Enable device role verification attached to the port.
ipv6 fhs ra-guard device-role {router|host} attach-policy
WORD<1-64>
Note:
A DHCPv6 Guard policy can be attached to a port only if the device-role configured on
that port is 'server'.
December 2017
Configuring Security on VOSS
124
Layer 2 security configuration using the CLI
Variable definitions
Use the data in the following table to use the ipv6 fhs ra-guard attach-policy and ipv6
fhs ra-guard device-role command.
Variable
Description
WORD<1–64>
Specifies the name of the RA Guard policy to be
attached or detached.
{host | router}
Sets the RA Guard device role as host or router.
Configuring RA Guard in RA Guard mode
About this task
Configures RA Guard in the RA Guard configuration mode.
Procedure
1. Enter RA Guard Configuration mode.
enable
configure terminal
ipv6 fhs ra-guard policy WORD<1-64>
2. Configure the filter to match the IPv6 prefixes advertised in RA packets.
match ra-prefix-list WORD<1–64>
3. Remove RA Guard filtering for the advertised prefixes.
no match ra-prefix-list
OR
default match ra-prefix-list
4. Configure the filter to match the source MAC address of RA packets.
match ra-macaddr-list WORD<1–64>
5. Remove the source MAC address-based RA Guard filtering.
no match ra-macaddr-list
OR
default match ra-macaddr-list
6. Configure the filter to match source IPv6 address of RA packets.
match ra-srcaddr-list WORD<1–64>
7. Remove the source IPv6 address based RA Guard filtering.
no match ra-srcaddr-list
OR
December 2017
Configuring Security on VOSS
125
Layer 2 security
default match ra-srcaddr-list
8. Enable managed address configuration flag verification in the advertised RA packet.
managed-config-flag <none |on | off>
9. Enable advertised hop count limit verification.
hop-limit {maximum | minimum} <0–255>
10. Enable the advertised default router-preference parameter value verification.
router-preference maximum {none | high | low | medium}
Variable definitions
Use the data in the following table to configure RA Guard policy.
Variable
Description
match ra-prefix-list WORD<1–64>
Verifies the advertised prefixes in RA packets
against the configured authorized prefix list.
Note:
RA packet's sender IPv6 address is not
validated if no IPv6 source access list is
attached to the RA Guard policy.
If the list is attached and if RA packet's sender
IPv6 address does not match any entry in that
IPv6 prefix list, then the RA packet is dropped.
To change this behavior, add a entry with ipv6
prefix“0::0/0” with Allow option. The default
value changes from Drop to Allow.
{no | default} match ra-prefix-list
Removes the advertised prefix-based RA Guard
filtering
match ra-macaddr-list WORD<1–64>
Verifies sender’s source MAC address against the
configured mac-access-list.
Note:
Advertised prefixes in RA packet are not
validated if no IPv6 prefix list is attached to the
RA Guard policy.
If the list is attached and if it does not match
any MAC in the list, then the RA packet is
dropped.
{no | default} match ra-macaddr-list
Removes the source MAC address-based RA
Guard filtering for the specified MAC address
access list names.
match ra-srcaddr-list WORD<1–64>
Verifies sender’s source IPV6 address against the
configured list.
Table continues…
December 2017
Configuring Security on VOSS
126
Layer 2 security configuration using the CLI
Variable
Description
Note:
Inspection is not done if the access-list is not
attached.
If the list is attached and if it does not match
any IPv6 in the list, then the RA packet is
dropped. To change the behavior, add a
dummy IPv6 “0:0:0:0:0:0” to the list with Allow
option. The default value changes from Drop to
Allow.
{no | default} match ra-srcaddr-list
Removes the source IPv6 address-based RA Guard
filtering for the specified IPv6 address access list
names.
managed-config-flag <none | on | off>
Verifies managed address configuration flag in the
advertised RA packet.
By default, the value is none and check is
bypassed.
hop-limit {maximum | minimum} <0–255>
Verifies the advertised hop count limit. The limit
value range is from 0 to 255.
While changing the minimum or maximum value,
ensure the maximum value is greater than the
minimum value.
By default, the minimum and maximum limit are 0.
In this case, the hop-limit check is bypassed.
router-preference maximum {none | high | low |
medium}
Verifies if the advertised default router-preference
parameter value is lower than or equal to a
specified limit.
By default, the value is none and the check is
bypassed.
Displaying RA Guard configuration
About this task
Display configured RA Guard policy information.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display configured RA Guard policy information:
show ipv6 fhs ra-guard policy WORD<1–64>
Example
Switch:1# show ipv6 fhs ra-guard policy
=======================================================================================================
=====
IPv6 Ra Guard Policy Info
=======================================================================================================
December 2017
Configuring Security on VOSS
127
Layer 2 security
=====
MIN-HOP MAX-HOP
MANAGED
POLICY-NAME
RA-SRC-ADDR-LIST RA-MAC-ADDR-LIST RA-PREFIX-LIST
LIMIT
LIMIT
CON-FLAG PREF
-----------------------------------------------------------------------------------------------------------Ra_guard_pol1
None
None
acl1
0
0
None
None
-----------------------------------------------------------------------------------------------------------All 1 out of 1 Total Num of ra-guard policy entries displayed
Variable definitions
Use the data in the following table to use the show ipv6 fhs ra-guard policy command.
Variable
Description
WORD<1–64>
Displays the RA Guard policy for the specified
policy-name. By default, all the configured RA
Guard policies are displayed.
Job aid
The following table shows the field descriptions for the show ipv6 fhs ra-guard policy
command.
Field
Description
POL-NAME
Indicates the RA Guard policy name.
DEVICE-ROLE
Indicates if the device role is router or host.
IPv6–ACC-LIST
Indicates the IPv6 access list against which the
incoming RA packet's source IPv6 address has to
be validated.
MAC-ACC-LIST
Indicates the MAC access list against which the
incoming RA packet's source MAC address has to
be validated.
PREFIX-LIST
Specifies the IPv6 prefix list against which
advertised prefix information in incoming RA
packets source need to be validated.
MIN HOP-LIMIT
Indicates the advertised hop count minimum limit.
MAX HOP-LIMIT
Indicates the advertised hop count maximum limit.
MANAGED CONF-FLAG
Indicates the managed address configuration flag
status in the advertised RA packet.
RTR-PREF
Indicates the advertised default router preference
value.
IPv6 Neighbor Discovery inspection configuration
This section describes how to configure ND inspection on the switch and protect the network by
mitigating the various types of attacks.
December 2017
Configuring Security on VOSS
128
Layer 2 security configuration using the CLI
Important:
Enable FHS globally before enabling ND inspection.
Enabling ND inspection globally
Before you begin
Enable FHS globally for ND inspection to work.
About this task
Use this procedure to enable Neighbor Discovery (ND) inspection globally.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable ND inspection globally:
ipv6 fhs nd-inspection enable
Clearing Neighbor Discovery inspection statistics
About this task
Use this procedure to clear the Neighbor Discovery inspection statistics.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Clear the Neighbor Discovery inspection statistics:
clear ipv6 fhs statistics nd-inspection [{slot/port[/sub-port] [slot/port[/sub-port]] [,...]}]
Note:
Alternatively, you can use the command clear ipv6 fhs statistics all to
clear the ND inspection statistics along with RA guard statistics and DHCPv6 Guard
statistics.
Variable definitions
Use the data in the following table to use the clear ipv6 fhs statistics nd-inspection
command.
Variable
Value
{slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
December 2017
Configuring Security on VOSS
129
Layer 2 security
Variable
Value
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
Enabling Neighbor Discovery inspection on a VLAN
Before you begin
Enable FHS globally for ND inspection to work.
About this task
Use this procedure to enable Neighbor Discovery inspection on a VLAN.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
2. Enable Neighbor Discovery inspection on the VLAN:
ipv6 fhs nd-inspection enable
Enabling Neighbor Discovery inspection on a port
Before you begin
Enable FHS globally for ND inspection to work.
About this task
Use this procedure to enable Neighbor Discovery inspection on a port
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable Neighbor Discovery inspection on the port:
ipv6 fhs nd-inspection enable
December 2017
Configuring Security on VOSS
130
Layer 2 security configuration using the CLI
Viewing Neighbor Discovery inspection status globally
About this task
Use this procedure to view the Neighbor Discovery inspection status globally
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the ND inspection status globally:
show ipv6 fhs status
Viewing Neighbor Discovery inspection status on a port
About this task
Use this procedure to view Neighbor Discovery inspection status on a port.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display port-wise ND inspection status:
show ipv6 fhs port-policy
Viewing Neighbor Discovery inspection statistics on a port
About this task
Use this procedure to view the Neighbor Discovery inspection statistics on a port or set of ports.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display ND inspection statistics on a port or a set of ports:
show ipv6 fhs statistics nd-inspection {slot/port[/sub-port] [slot/port[/sub-port]] [,...]}
Variable definitions
Use the data in the following table to use the show ipv6 fhs statistics nd-inspection
command.
Variable
Value
{slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
December 2017
Configuring Security on VOSS
131
Layer 2 security
Variable
Value
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
IPv6 DHCP snooping configuration
This section describes how to configure IPv6 DHCP snooping on the switch and protect the
network by mitigating the various types of attacks.
Important:
Configure DHCPv6 Guard before enabling IPv6 DHCP snooping. DHCPv6 Guard classifies
the ports as trusted or untrusted and extracts DHCPv6 reply packets received on trusted ports
to the control path. For more information on how to configure DHCPv6 Guard, see DHCPv6
Guard policy configuration on page 117.
Creating a static Security Binding Table entry
Use this procedure to enable learning Security Binding Table (SBT) entries on all the VLANs
where IPv6 DHCP snooping is configured.
About this task
Use this procedure to create a static SBT entry.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Add a static SBT entry:
ipv6 fhs snooping static-binding ipv6-address WORD<0-46> vlan
<1-4059> mac-address 0x00:0x00:0x00 port {slot/port[/sub-port]}
Note:
To delete an SBT entry, use the command no ipv6 fhs snooping staticbinding.
Example
Add a static SBT entry.
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)#ipv6 fhs snooping static-binding ipv6-address 2001:DB8:89ab:cdef:
0123:4567:89ab:cdef vlan 1000 mac-address 00:11:22:33:44:55 port 1/2
December 2017
Configuring Security on VOSS
132
Layer 2 security configuration using the CLI
Variable definitions
Use the data in the following table to use the ipv6 fhs snooping static-binding ipv6address command.
Variable
Value
mac-address 0x00:0x00:0x00
Specifies the MAC address of the binding entry.
port {slot/port[/sub-port]}
Identifies a single slot and port. If your platform
supports channelization and the port is channelized,
you must also specify the sub-port in the format
slot/port/sub-port.
vlan <1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By
default, VLAN IDs 1 to 4059 are configurable and
the system reserves VLAN IDs 4060 to 4094 for
internal use. On switches that support the vrfscaling and spbm-config-mode boot configuration
flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the
default VLAN and you cannot create or delete
VLAN ID 1.
WORD<0-46>
Specifies the IPv6 address for the binding entry.
Clearing a dynamic SBT entry
About this task
Use this procedure to clear all or a particular dynamic SBT entry.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Clear a dynamic SBT entry:
clear ipv6 fhs snooping [vlan <1-4059>][ipv6-address WORD<0-46>]
Example
Clear a dynamic SBT entry on a VLAN.
Switch:1> enable
Switch:1>clear ipv6 fhs snooping vlan 1000 ipv6-address 2001:DB8:89ab:cdef:
0123:4567:89ab:cdef
Variable definitions
Use the data in the following table to use the clear ipv6 fhs snooping command.
December 2017
Configuring Security on VOSS
133
Layer 2 security
Variable
Value
ipv6-address WORD<0-46>
Specifies the IPv6 address for the binding entry to
clear. You cannot specify an address without first
specifying the VLAN.
vlan <1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By
default, VLAN IDs 1 to 4059 are configurable and
the system reserves VLAN IDs 4060 to 4094 for
internal use. On switches that support the vrfscaling and spbm-config-mode boot configuration
flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the
default VLAN and you cannot create or delete
VLAN ID 1.
If you do not specify a VLAN, the command clears
all entries.
Enabling IPv6 DHCP snooping on a VLAN
Before you begin
Enable IPv6 DHCPv6 Guard for IPv6 DHCP snooping to work.
About this task
Use this procedure to configure IPv6 DHCP snooping on a VLAN.
Procedure
1. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
2. Configure IPv6 DHCP snooping on the VLAN:
ipv6 fhs snooping dhcp enable
Viewing IPv6 DHCP snooping and ND inspection status on a VLAN
About this task
Use this procedure to view IPv6 DHCP snooping and ND inspection status on a VLAN.
Procedure
1. Enter Privileged EXEC mode:
enable
2. View the IPv6 DHCP snooping and ND inspection status on a VLAN:
show ipv6 fhs status vlan [<1-4059>]
December 2017
Configuring Security on VOSS
134
Layer 2 security configuration using the CLI
Example
View the status for all VLANs.
Switch:1#show ipv6 fhs status vlan
========================================================================================
==
IPv6 FHS VLAN Information
========================================================================================
==
VLAN-ID
DHCP-SNOOPING-STATUS
ND-INSPECTION-STATUS
----------------------------------------------------------------------------------------1
Disabled
Disabled
3
Disabled
Disabled
4
Disabled
Disabled
22
Disabled
Disabled
----------------------------------------------------------------------------------------All 4 out of 4 Total Num of FHS VLAN entries displayed
Variable definitions
Use the data in the following table to use the show ipv6 fhs status vlan command.
Variable
Value
<1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By
default, VLAN IDs 1 to 4059 are configurable and
the system reserves VLAN IDs 4060 to 4094 for
internal use. On switches that support the vrfscaling and spbm-config-mode boot configuration
flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the
default VLAN and you cannot create or delete
VLAN ID 1.
If you do not specify a VLAN ID, the command
output includes all VLANs.
Viewing SBT entries
About this task
Use this procedure to view SBT entries.
Procedure
1. Enter Privileged EXEC mode:
enable
2. View all SBT entries:
show ipv6 fhs snooping binding
3. View the SBT entries by type:
December 2017
Configuring Security on VOSS
135
Layer 2 security
show ipv6 fhs snooping binding type {dynamic | static}
4. View the SBT entries by VLAN:
show ipv6 fhs snooping binding vlan <1-4059>[ipv6-address
WORD<0-46>]
Variable definitions
Use the data in the following table to use the show ipv6 fhs snooping binding command.
Variable
Value
ipv6-address WORD<0-46>
Specifies the IPv6 address for the binding entry.
type {dynamic | static}
Shows only dynamic binding entries or static
binding entries.
vlan <1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By
default, VLAN IDs 1 to 4059 are configurable and
the system reserves VLAN IDs 4060 to 4094 for
internal use. On switches that support the vrfscaling and spbm-config-mode boot configuration
flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the
default VLAN and you cannot create or delete
VLAN ID 1.
IP Source Guard configuration
The following sections provide procedural information you can use to configure IP Source Guard
(IPSG) using the Command Line Interface (CLI).
Note:
The switch supports configuration of IP Source Guard for both IPv4 and IPv6 addresses.
Enabling IP Source Guard on a port for IPv4 addresses
About this task
Enable IP Source Guard (IPSG) on a port to add a higher level of security to the port by
preventing IP spoofing. When you enable IPSG on the interface, filters are automatically installed
for the IPv4 addresses that are already learned on that interface.
Important:
Do not enable IPSG on MLT, DMLT, SMLT, LAG, trunk ports or ports that are a part of private
VLANs.
Before you begin
Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise,
the system displays error messages.
• DHCP Snooping is enabled globally.
December 2017
Configuring Security on VOSS
136
Layer 2 security configuration using the CLI
• The port is a member of a VLAN that is configured with both DHCP Snooping and Dynamic
ARP Inspection.
• The port is an untrusted port enabled with both DHCP Snooping and Dynamic ARP
Inspection.
• The port has enough resources allocated, to support the maximum number of 10 IP
addresses allowed for IPSG.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable IPSG on the port:
ip source verify enable
3. Verify IPSG configuration:
show ip source verify interface gigabitethernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
Example
Configure IPSG on port 4/1.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)#ip source verify enable
Verify the configuration.
Switch:1(config-if)#show ip source verify interface gigabitEthernet
===================================================================================
Source Guard Port Info
===================================================================================
PORT
NUM
ENABLE
----------------------------------------------------------------------------------1/1
false
1/2
false
4/1
true
4/2
false
4/3
false
4/4
false
4/5
false
4/6
false
-----------------------------------------------------------------------------------
December 2017
Configuring Security on VOSS
137
Layer 2 security
All 8 out of 8 Total Num of Ip Source Guard entries displayed
Switch:1(config-if)#show ip source verify interface gigabitEthernet 4/1
===================================================================================
Source Guard Port Info
===================================================================================
PORT
NUM
ENABLE
----------------------------------------------------------------------------------4/1
true
----------------------------------------------------------------------------------All 1 out of 1 Total Num of Ip Source Guard entries displayed
Variable definitions
Use the data in the following table to use the ip source verify command.
Variable
Value
enable
Enables IP Source Guard on the port.
Disabling IP Source Guard for IPv4 addresses
About this task
Disable IP Source Guard (IPSG) on a port to allow traffic from all IPv4 addresses to go through
the port without being filtered.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Disable IPSG for IPv4 addresses:
no ip source verify
3. Verify IPSG configuration:
show ip source verify interface gigabitethernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
Example
Disable IPSG on port 4/1.
Switch:1>enable
Switch:1#configure terminal
December 2017
Configuring Security on VOSS
138
Layer 2 security configuration using the CLI
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)#no ip source verify
Verify the configuration.
Switch:1(config-if)#show ip source verify interface gigabitEthernet 4/1
===================================================================================
Source Guard Port Info
===================================================================================
PORT
NUM
ENABLE
----------------------------------------------------------------------------------4/1
false
----------------------------------------------------------------------------------All 1 out of 1 Total Num of Ip Source Guard entries displayed
Viewing IP Source Guard configuration on a port
About this task
View IP Source Guard (IPSG) configuration on a port, with filters for IPv4 addresses.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. View IPSG configuration:
show ip source verify interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
Example
Switch:1>show ip source verify interface gigabitEthernet 4/1
====================================================================================
Source Guard Port Info
====================================================================================
PORT
NUM
ENABLE
-----------------------------------------------------------------------------------4/1
true
-----------------------------------------------------------------------------------All 1 out of 1 Total Num of Ip Source Guard entries displayed
Variable definitions
Use the data in the following table to use the show ip source verify interface
gigabitEthernet command.
Variable
Value
{slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}
Identifies the slot and port in one of the following formats: a
single slot and port (slot/port), a range of slots and ports
(slot/port-slot/port), or a series of slots and ports (slot/
port,slot/port,slot/port). If your platform supports
December 2017
Configuring Security on VOSS
139
Layer 2 security
Variable
Value
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
Viewing IPv4 address bindings
About this task
View the IPv4 address bindings that IP Source Guard (IPSG) allows.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. View the allowed IPv4 address bindings for a specific interface:
show ip source binding [interface gigabitEthernet {slot/port[/subport] [-slot/port[/sub-port]] [,...]}]|[vlan <1-4059>]|[vrf
WORD<1-16>]|[vrfids WORD<0-512>]
3. View the allowed IPv4 address bindings for a specific IP address:
show ip source binding {A.B.C.D}
Example
View the allowed IPv4 address bindings for the port 4/1.
Switch:1>show ip source binding interface gigabitEthernet 4/1
========================================================================================
==
IPSG Source Table
========================================================================================
==
PORT
IP
VLAN
VRF
NUM
ADDRESS
ID
NAME
----------------------------------------------------------------------------------------4/1
192.0.2.1
200
GlobalRouter
----------------------------------------------------------------------------------------All 1 out of 1 Total IP Source Guard entries displayed
View the IPv4 address bindings for a specific IP address.
Switch:1>show ip source binding 192.0.2.1
========================================================================================
==
IPSG Source Table
========================================================================================
==
PORT
IP
VLAN
VRF
NUM
ADDRESS
ID
NAME
----------------------------------------------------------------------------------------4/1
192.0.2.1
200
GlobalRouter
-----------------------------------------------------------------------------------------
December 2017
Configuring Security on VOSS
140
Layer 2 security configuration using the CLI
All 1 out of 1 Total IP Source Guard entries displayed
Variable definitions
Use the data in the following table to use the show ip source binding command.
Variable
Value
{A.B.C.D}
Identifies the IPv4 address.
interface gigabitEthernet {slot/port[/subport] [-slot/port[/sub-port]] [,...]}
Identifies the slot and port in one of the following formats: a
single slot and port (slot/port), a range of slots and ports
(slot/port-slot/port), or a series of slots and ports (slot/
port,slot/port,slot/port). If your platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
vlan <1-4059>
Specifies the VLAN ID of the VLAN for which to view IPv4
address bindings.
vrf WORD<1-16>
Specifies the VRF name of the VRF for which to view the
IPv4 address bindings.
vrfids WORD<0-512>
Specifies the VRF ID of the VRF for which to view IPv4
address bindings.
Enabling IP Source Guard on a port for IPv6 addresses
About this task
Enable IP Source Guard (IPSG) on a port, to add a higher level of security to the port by
preventing IP spoofing. When you enable IPSG on the interface, filters are installed for IPv6
addresses that are already learned on that interface.
Important:
Do not enable IPSG on MLT, DMLT, SMLT, LAG, trunk ports or ports that are a part of private
VLANs.
Before you begin
Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise,
the system displays error messages.
• DHCP Snooping is enabled globally.
• The port is a member of a VLAN that is configured with both DHCP Snooping and IPv6
Neighbor Discovery inspection.
• The port is an untrusted port enabled with both DHCP Snooping and IPv6 Neighbor
Discovery inspection.
• The port has enough resources allocated, to support the maximum number of 10 IP
addresses allowed for IPSG.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
December 2017
Configuring Security on VOSS
141
Layer 2 security
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure the maximum number of allowed IPv6 addresses on a port:
ipv6 source-guard [max-allowed-addr <2-10>]
Note:
Ensure that you configure the maximum number of allowed IPv6 addresses on a port,
before you enable IPSG on that port.
3. Enable IPSG on the port:
ipv6 source-guard enable
4. Verify IPSG configuration information on the port:
show ipv6 source-guard interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
Example
Enable IPSG on a port.
Configure the maximum allowed IPv6 addresses on port 4/1 as 10 and enable IPSG on that port.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)#ipv6 source-guard max-allowed-addr 10
Switch:1(config-if)#ipv6 source-guard enable
Verify the configuration.
Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 4/1
Slot/Port Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
10
0
Optionally view all interfaces with IPSG enabled.
Switch:1(config-if)#show ipv6 source-guard interface enabled
Slot/Port Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
4
0
3/1
Enabled
9
0
Variable definitions
Use the data in the following table to use the ipv6 source-guard command.
December 2017
Configuring Security on VOSS
142
Layer 2 security configuration using the CLI
Variable
Value
enable
Enables IP Source Guard on a port.
max-allowed-addr <2–10>
Specifies the maximum number of IPv6 addresses allowed
to transmit data through the port. The default value is 4.
Note:
To reset the value to default, IPSG must be disabled on
the interface.
Disabling IP Source Guard for IPv6 addresses
About this task
Disable IP Source Guard (IPSG) on a port to allow traffic from all IPv6 addresses to go through
the port without being filtered.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Disable IPSG for IPv6 addresses on a port:
no ipv6 source-guard enable
3. Verify IPSG configuration on the port:
show ipv6 source-guard interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
Example
Disable IPSG on port 4/1.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)no ipv6 source-guard enable
Verify the configuration.
Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 4/1
Slot/Port Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Disabled
10
0
December 2017
Configuring Security on VOSS
143
Layer 2 security
Clearing IP Source Guard overflow counters
About this task
Overflow counters consist of IPv6 addresses that are not added to IP Source Guard (IPSG) due to
lack of filter resources. Use this procedure to clear the overflow counters for an IPSG port.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Clear the overflow counters:
ipv6 source-guard overflow-count clear
3. Verify the configuration on the port:
show ipv6 source-guard interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
4. (Optional) View the overflow counters on all IPSG enabled ports:
show ipv6 source-guard interface enabled
Example
Clear overflow counters on the IPSG port 4/1.
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)#ipv6 source-guard overflow-count clear
Verify the configuration on port 4/1.
Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 4/1
Slot/Port Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
10
0
Optionally view the overflow counters on all IPSG enabled ports.
Switch:1(config-if)#show ipv6 source-guard interface enabled
Slot/Port Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
4
0
3/1
Enabled
9
0
December 2017
Configuring Security on VOSS
144
Layer 2 security configuration using the CLI
Viewing IP Source Guard configuration for IPv6 addresses
Procedure
1. Log on to the switch to enter User EXEC mode.
2. View IPSG configuration on a specified interface:
show ipv6 source-guard interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
3. View IPSG configuration on all IPSG enabled interfaces:
show ipv6 source-guard interface enabled
Example
Switch:1#show ipv6 source-guard interface gigabitEthernet 4/1
Slot/Port
Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
4
0
Switch:1#show ipv6 source-guard interface enabled
Slot/Port
Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
4
0
4/2
Enabled
9
0
Variable definitions
Use the data in the following table to use the show ipv6 source-guard interface
gigabitEthernet command.
Variable
Value
enabled
Displays IPSG configuration on all IPSG enabled interfaces.
gigabitEthernet {slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}
Displays IPSG configuration on the specified interface.
Identifies the slot and port in one of the following formats: a
single slot and port (slot/port), a range of slots and ports
(slot/port-slot/port), or a series of slots and ports (slot/
port,slot/port,slot/port). If your platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
Viewing IPv6 address bindings
About this task
View the IPv6 address bindings that IP Source Guard (IPSG) allows.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. View the allowed IPv6 address bindings:
December 2017
Configuring Security on VOSS
145
Layer 2 security
show ipv6 source-guard binding [WORD<0-46>] [interface
gigabitEthernet {slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}]
Example
View the IPv6 address bindings for port 1/3.
Switch:1>show ipv6 source-guard binding interface gigabitEthernet 1/3
Slot/Port
IPv6 Address
==========================================================
1/3
2001::10:10:0:1
1/3
fe80::210:94ff:fe00:550b
-----------------------------------------------------------
View the IPv6 address bindings for a specific IPv6 address.
Switch:1>show ipv6 source-guard binding fe80::210:94ff:fe00:550b
Slot/Port
IPv6 Address
==========================================================
1/3
fe80::210:94ff:fe00:550b
-----------------------------------------------------------
Variable definitions
Use the data in the following table to use the show ipv6 source-guard binding command.
Variable
Value
WORD<0-46>
Identifies the IPv6 address.
interface gigabitEthernet {slot/port[/subport] [-slot/port[/sub-port]] [,...]}
Identifies the slot and port in one of the following formats: a
single slot and port (slot/port), a range of slots and ports
(slot/port-slot/port), or a series of slots and ports (slot/
port,slot/port,slot/port). If your platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
Layer 2 security configuration using the EDM
Use the following sections to help you configure Layer 2 security features and protect the network
by mitigating various types of attacks, using the Enterprise Device Manager (EDM).
For IPv4 deployments, configure:
• DHCP Snooping
• Dynamic ARP Inspection
• IP Source Guard for IPv4 addresses
For IPv6 deployments, configure:
• First Hop Security (FHS)
December 2017
Configuring Security on VOSS
146
Layer 2 security configuration using the EDM
Note:
FHS does not solve all cases of denial of services like blocking flooding of the IPv6
messages.
• DHCP Snooping and IPv6 Neighbor Discovery Inspection
• IP Source Guard for IPv6 addresses
Dynamic ARP Inspection configuration using EDM
The following section provides procedures to configure Dynamic ARP Inspection (DAI) using
EDM.
Configuring Dynamic ARP Inspection on VLANs
Use the following procedure to enable or disable DAI on one or more VLANs.
Note:
DAI cannot be enabled on Private VLANs (E-Tree) and SPBM B-VLANs.
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click ARP Inspection.
3. Click the ARP Inspection-VLAN tab.
4. In the row for the VLAN, double-click the Enabled field, and select true to enable DAI.
5. Click Apply.
ARP Inspection-VLAN field descriptions
Use the data in the following table to use the ARP Inspection-VLAN tab.
Name
Description
VlanId
Specifies the VLAN ID.
Enabled
Specifies if DAI is enabled or disabled for the particular VLAN. By
default, DAI is disabled.
Configuring Dynamic ARP Inspection on ports
Use the following procedure to set the trust factor associated with a port for DAI . By default, the
trust factor is set to untrusted.
Note:
For ports that are part of an MLT, DAI must be configured using the MLT configuration mode.
December 2017
Configuring Security on VOSS
147
Layer 2 security
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click ARP Inspection.
3. Click the ARP Inspection-port tab.
4. In the row for the port, double-click the IfTrusted field, and select trusted or untrusted to
set DAI.
5. Click Apply.
ARP Inspection-port field descriptions
Use the data in the following table to use the ARP Inspection-port tab.
Name
Description
Port
Specifies the port on the switch.
IfTrusted
Specifies the trust factor for DAI on the specific port. By default, it
is set as untrusted.
Configuring FHS Globals
About this task
Use this procedure to enable FHS to enable DHCPv6 Guard, RA Guard, and ND-inspection
globally, and to configure the lifetime for these policies.
Procedure
1. From the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Globals tab.
4. Select FHS global options.
5. Click Apply to save the changes.
6. (Optional) Click Refresh to update the results.
Globals field descriptions
Use the data in the following table to use the Globals tab.
Name
Description
Admin
Enables or disables the FHS policy.
Table continues…
December 2017
Configuring Security on VOSS
148
Layer 2 security configuration using the EDM
Name
Description
RAGuardAdmin
Enables or disables the RA Guard policy.
DHCPv6GuardAdmin
Enables or disables the DHCPv6 Guard policy.
NdInspectAdmin
Enables or disables Neighbor Discovery inspection.
IPv6 access list configuration
An IPv6 access list is created to verify the sender's IPv6 address in the inspected messages. You
can create, view, or delete an IPv6 access list.
Creating IPv6 access list
About this task
Use this procedure to create an FHS IPv6 access list or add IPv6 prefixes to the existing IPv6
access list.
Procedure
1. In the navigation pane, expand the following folders: Configuration—> IPv6.
2. Click FHS.
3. Click the IPv6 Access List tab.
4. Click Insert.
5. Configure the parameters for the IPv6 access list.
6. Click Insert.
IPv6 Access List field descriptions
Use the data in the following table to use the IPv6 Access List tab.
Name
Description
Name
Specify the IPv6 access list name to create the IPv6
access list.
Prefix
Specify the IPv6 prefix for adding it to the IPv6
access list.
PrefixMaskLen
Specify the prefix length for adding it to the IPv6
access list. The value range is from 0 to 128. By
default, the value is 0.
MaskLenFrom
Specify the start mask length for providing the IPv6
range. The value range is from 0 to 128. By default,
the value is set to the configured prefix length of the
IPv6 access list entry.
Table continues…
December 2017
Configuring Security on VOSS
149
Layer 2 security
Name
Description
MaskLenTo
Specify the end mask length for providing the IPv6
range. The value range is from 0 to 128. By default,
the value is set to the configured prefix length of the
IPv6 access list entry.
AccessType
Select the access type to allow or deny the entry.
By default, the access type is allow.
Note:
• MaskLenFrom and MaskLenTo must always be greater than or equal to the configured
PrefixMaskLen for this IPv6 access list entry
• The MaskLenFrom value must always be less than or equal to the MaskLenTo value.
Viewing IPv6 access list
About this task
Use this procedure to display the IPv6 access list.
Procedure
1. In the navigation pane, expand the following folders: Configuration—> IPv6.
2. Click FHS.
3. Click the IPv6 Access List tab.
IPv6 Access List field descriptions
Use the data in the following table to use the IPv6 Access List tab.
Name
Description
Name
Specify the IPv6 access list name to create the IPv6
access list.
Prefix
Specify the IPv6 prefix for adding it to the IPv6
access list.
PrefixMaskLen
Specify the prefix length for adding it to the IPv6
access list. The value range is from 0 to 128. By
default, the value is 0.
MaskLenFrom
Specify the start mask length for providing the IPv6
range. The value range is from 0 to 128. By default,
the value is set to the configured prefix length of the
IPv6 access list entry.
MaskLenTo
Specify the end mask length for providing the IPv6
range. The value range is from 0 to 128. By default,
the value is set to the configured prefix length of the
IPv6 access list entry.
AccessType
Select the access type to allow or deny the entry.
By default, the access type is allow.
December 2017
Configuring Security on VOSS
150
Layer 2 security configuration using the EDM
Note:
• MaskLenFrom and MaskLenTo must always be greater than or equal to the configured
PrefixMaskLen for this IPv6 access list entry
• The MaskLenFrom value must always be less than or equal to the MaskLenTo value.
Deleting the IPv6 access list
About this task
Use this procedure to delete the created IPv6 access list.
Procedure
1. In the navigation pane, expand the following folders: Configuration—> IPv6.
2. Click FHS.
3. Click the IPv6 Access List tab.
4. Select a row from the IPv6 access list to delete.
5. Click Delete.
MAC access list configuration
A MAC access list is created to verify the sender's MAC address in the RA packet. You can view,
create or delete a MAC access list.
Creating MAC access list
About this task
Use this procedure to create a MAC access list or add a MAC address to the existing MAC access
list.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the MAC Access List tab.
4. Click Insert.
5. Configure the parameters for the MAC access list.
6. Click Insert.
MAC Access List field descriptions
Use the data in the following table to use the MAC Access List tab.
December 2017
Configuring Security on VOSS
151
Layer 2 security
Name
Description
Name
Specify a name to create a MAC access list.
Mac
Specify the MAC address to add to the MAC access
list, in (xx:xx:xx:xx:xx:xx) format.
AccessType
Specify allow or deny. By default, the access type is
allow.
Viewing a MAC access list
About this task
Use this procedure to display a configured MAC access list.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the MAC Access List tab.
MAC Access List field descriptions
Use the data in the following table to use the MAC Access List tab.
Name
Description
Name
Specify a name to create a MAC access list.
Mac
Specify the MAC address to add to the MAC access
list, in (xx:xx:xx:xx:xx:xx) format.
AccessType
Specify allow or deny. By default, the access type is
allow.
Deleting a MAC access list
About this task
Use this procedure to delete the created MAC access list.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the MAC Access List tab.
4. Select a row from the MAC access list to delete.
5. Click Delete.
December 2017
Configuring Security on VOSS
152
Layer 2 security configuration using the EDM
DHCPv6 Guard policy configuration
Configure the DHCPv6 Guard policy to block DHCPv6 reply and advertisement messages that
originate from unauthorized DHCPv6 servers and relay agents that forward DHCPv6 packets from
servers to clients. You can view, create or delete a DHCPv6 Guard policy.
Creating DHCPv6 Guard policy
About this task
Use this procedure to create the DHCPv6 Guard policy to block DHCPv6 reply and advertisement
messages that originate from unauthorized DHCPv6 servers and relay agents.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the DHCPv6 Guard Policy tab.
4. Click Insert.
5. Configure the parameters for the DHCPv6 Guard policy.
6. Click Insert.
7. (Optional) Click Refresh to update the results.
DHCPv6 Guard Policy field descriptions
Use the data in the following table to use the DHCPv6 Guard Policy tab.
Name
Description
PolicyName
Specifies the policy name to create or modify
DHCPv6 Guard policy.
ServerAccessListName
Enables verification of the sender IPv6 address in
the DHCPv6 reply or advertisement packets against
attached IPv6 server access list.
Note:
If the access-list is not attached, the source
IPv6 address is not validated. If the list is
attached and it does not match with any
entries in attached IPv6 access list, the switch
drops the DHCPv6 packet. To change this
behavior, add an entry in the IPv6 access list
with prefix 0::0/0 with access type as allow,
which changes the drop by default to allow by
default.
Table continues…
December 2017
Configuring Security on VOSS
153
Layer 2 security
Name
Description
ReplyPrefixListName
Enables verification of the advertised prefixes in
DHCPv6 reply messages against the attached
prefix list. If not configured, this check is bypassed.
Note:
If the access-list is not attached, the advertised
address/prefix is not validated. If the list is
attached and it does not match with any
entries in attached IPv6 access list, the switch
drops the DHCPv6 packet. To change this
behavior, an entry in the IPv6 access list with
prefix 0::0/0 with access type as allow, which
changes the drop by default to allow by
default.
PrefLimitMin
Enables verification if the advertised preference (in
reference option) is greater than the specified limit.
If not specified, this check does not occur.
The value range is from 0 to 255.
PrefixLimitMax
Enables verification if the advertised preference (in
preference option) is less than the specified limit. If
not specified, this check does not occur.
The value range is from 0 to 255.
Note:
If both the maximum and minimum limit is 0,
this preference check is ignored.
Viewing a DHCPv6 Guard policy
About this task
Use this procedure to display configured DHCPv6 Guard policies.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the DHCPv6 Guard Policy tab.
DHCPv6 Guard Policy field descriptions
Use the data in the following table to use the DHCPv6 Guard Policy tab.
Name
Description
PolicyName
Specifies the policy name to create or modify
DHCPv6 Guard policy.
Table continues…
December 2017
Configuring Security on VOSS
154
Layer 2 security configuration using the EDM
Name
Description
ServerAccessListName
Enables verification of the sender IPv6 address in
the DHCPv6 reply or advertisement packets against
attached IPv6 server access list.
Note:
If the access-list is not attached, the source
IPv6 address is not validated. If the list is
attached and it does not match with any
entries in attached IPv6 access list, the switch
drops the DHCPv6 packet. To change this
behavior, add an entry in the IPv6 access list
with prefix 0::0/0 with access type as allow,
which changes the drop by default to allow by
default.
ReplyPrefixListName
Enables verification of the advertised prefixes in
DHCPv6 reply messages against the attached
prefix list. If not configured, this check is bypassed.
Note:
If the access-list is not attached, the advertised
address/prefix is not validated. If the list is
attached and it does not match with any
entries in attached IPv6 access list, the switch
drops the DHCPv6 packet. To change this
behavior, an entry in the IPv6 access list with
prefix 0::0/0 with access type as allow, which
changes the drop by default to allow by
default.
PrefLimitMin
Enables verification if the advertised preference (in
reference option) is greater than the specified limit.
If not specified, this check does not occur.
The value range is from 0 to 255.
PrefixLimitMax
Enables verification if the advertised preference (in
preference option) is less than the specified limit. If
not specified, this check does not occur.
The value range is from 0 to 255.
Note:
If both the maximum and minimum limit is 0,
this preference check is ignored.
Deleting a DHCPv6 Guard policy
About this task
Use this procedure to delete the created DHCPv6 Guard policy.
December 2017
Configuring Security on VOSS
155
Layer 2 security
Note:
If this policy is already attached to an interface, then this policy cannot be deleted.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the DHCPv6 Guard Policy tab.
4. Select a row from DHCPv6 Guard policies to delete.
5. Click Delete.
RA Guard policy configuration
Configure RA Guard to block or reject unwanted or rogue RA messages that arrive at the network
device platform. You can view, create or delete RA Guard policy.
Creating RA Guard policy
About this task
Use this procedure to create a RA Guard policy to block or reject unwanted or rogue RA
messages that arrive at the network device platform.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the RA Guard Policy tab.
4. Click Insert.
5. Configure the parameters for the RA Guard policy.
6. Click Insert.
7. (Optional) Click Refresh to update the results.
RA Guard Policy field descriptions
Use the data in the following table to use the RA Guard Policy tab.
Name
Description
PolicyName
Specifies the name of the RA Guard policy to be
created or modified.
SrcAddrList
Specify the IPv6 access list name to verify the
sender IPv6 address in the RA packets against the
attached IPv6 access list.
Table continues…
December 2017
Configuring Security on VOSS
156
Layer 2 security configuration using the EDM
Name
Description
Note:
The source address in the RA packet is not
validated if the access-list is not attached.
If the list is attached and the IPv6 source
address in RA packet does not match any
IPv6-prefix in the list, then the RA packet is
dropped. To change this behavior, add an entry
in the IPv6 access list with prefix 0::0/0 with
access type as allow. The default value
changes from drop to allow.
PrefixList
Specify the IPv6 prefix list name to verify the
advertised prefixes in the RA packet against the
attached IPv6 prefix list.
Note:
Advertised prefixes are not validated if the
access-list is not attached.
If the list is attached and the advertised prefix
in the RA packet does not match any IPv6prefix in the list, then the RA packet is
dropped. To change this behavior, add an entry
in the IPv6 access list with prefix 0::0/0 with
access type as allow. The default value
changes from drop to allow.
MacAddrList
Specify the MAC list name to verify the sender
source MAC address against the attached MAC
access list.
Note:
The source MAC address in the RA packet is
not validated if the access-list is not attached.
If the list is attached and the source MAC
address in the RA packet does not match any
MAC address in the list, then the RA packet is
dropped.
ManagedConfigFlag
Select the managed configuration flag to verify
managed address configuration in the advertised
RA packet.
By default, none is selected and managed
configuration flag validation is skipped.
RouterPrefMax
Select the router preference maximum to verify the
if the advertised default router preference
parameter value is lower than or equal to a
specified limit.
Table continues…
December 2017
Configuring Security on VOSS
157
Layer 2 security
Name
Description
By default, none is selected and router preference
validation is skipped.
HopLimitMin
Specify the minimum hop limit to verify the
advertised hop count limit.
The value range is from 0 to 255
By default, minimum hop limit is 0.
HopLimitMax
Specify the maximum hop limit to verify the
advertised hop count limit.
The value range is from 0 to 255
By default, the maximum hop limit is 0 and If both
HopLimitMin and HopLimitMax are set to 0, then the
hop limit parameter in the RA packet is not
validated.
Viewing RA Guard policy
About this task
Use this procedure to display configured RA Guard policies.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the RA Guard Policy tab.
RA Guard Policy field descriptions
Use the data in the following table to use the RA Guard Policy tab.
Name
Description
PolicyName
Specifies the name of the RA Guard policy to be
created or modified.
SrcAddrList
Specify the IPv6 access list name to verify the
sender IPv6 address in the RA packets against the
attached IPv6 access list.
Note:
The source address in the RA packet is not
validated if the access-list is not attached.
If the list is attached and the IPv6 source
address in RA packet does not match any
IPv6-prefix in the list, then the RA packet is
dropped. To change this behavior, add an entry
in the IPv6 access list with prefix 0::0/0 with
Table continues…
December 2017
Configuring Security on VOSS
158
Layer 2 security configuration using the EDM
Name
Description
access type as allow. The default value
changes from drop to allow.
PrefixList
Specify the IPv6 prefix list name to verify the
advertised prefixes in the RA packet against the
attached IPv6 prefix list.
Note:
Advertised prefixes are not validated if the
access-list is not attached.
If the list is attached and the advertised prefix
in the RA packet does not match any IPv6prefix in the list, then the RA packet is
dropped. To change this behavior, add an entry
in the IPv6 access list with prefix 0::0/0 with
access type as allow. The default value
changes from drop to allow.
MacAddrList
Specify the MAC list name to verify the sender
source MAC address against the attached MAC
access list.
Note:
The source MAC address in the RA packet is
not validated if the access-list is not attached.
If the list is attached and the source MAC
address in the RA packet does not match any
MAC address in the list, then the RA packet is
dropped.
ManagedConfigFlag
Select the managed configuration flag to verify
managed address configuration in the advertised
RA packet.
By default, none is selected and managed
configuration flag validation is skipped.
RouterPrefMax
Select the router preference maximum to verify the
if the advertised default router preference
parameter value is lower than or equal to a
specified limit.
By default, none is selected and router preference
validation is skipped.
HopLimitMin
Specify the minimum hop limit to verify the
advertised hop count limit.
The value range is from 0 to 255
By default, minimum hop limit is 0.
Table continues…
December 2017
Configuring Security on VOSS
159
Layer 2 security
Name
Description
HopLimitMax
Specify the maximum hop limit to verify the
advertised hop count limit.
The value range is from 0 to 255
By default, the maximum hop limit is 0 and If both
HopLimitMin and HopLimitMax are set to 0, then the
hop limit parameter in the RA packet is not
validated.
Deleting an RA Guard policy
About this task
Use this procedure to delete the created RA Guard policy.
Note:
If this policy is already attached to an interface, then you cannot delete this policy.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the RA Guard Policy tab.
4. Select a row from the RA Guard policies to delete.
5. Click Delete.
Port policy mapping configuration
This configuration allows you to map the port with DHCPv6 Guard or RA Guard policy. You can
view, create or delete the mappings.
Creating port to policy mapping
About this task
Use this procedure to map a port to a RA Guard or DHCPv6 Guard policy, DHCPv6 Guard or RA
Guard statistics.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Port Policy Mapping tab.
4. Click Insert.
5. Configure the parameters for the port policy mapping.
December 2017
Configuring Security on VOSS
160
Layer 2 security configuration using the EDM
6. Click Insert.
7. (Optional) Click Refresh to update the results.
Port Policy Mapping field descriptions
Use the data in the following table to use the Insert Port Policy Mapping dialog box.
Name
Description
IfIndex
Specify the port.
DHCPv6GuardPolicyName
Enter an already-created DHCPv6 Guard policy
name to map it with the port.
RAGuardPolicyName
Enter an already-created RA Guard policy name to
map it with the port.
Dhcpv6gDeviceRole
Select server or client configuration. The default is
server.
RagDeviceRole
Select host or router configuration. The default is
router.
Viewing port policy mapping
About this task
Use this procedure to display port policy mapping information.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Port Policy Mapping tab.
Port Policy Mapping field descriptions
Use the data in the following table to use the Port Policy Mapping tab.
Name
Description
IfIndex
Identifies the port.
Dhcpv6gDeviceRole
Specifies the DHCPv6 Guard device-role of the
received port. If the device role is client and if it
receives DHCPv6 reply then those packets should
be dropped.
DHCPv6GuardPolicyName
Specifies the DHCPv6 Guard policy name
associated with the port.
TotalDHCPv6PktRcv
Shows the total number of DHCPv6 packets
received on the DHCPv6 Guard enabled interface.
TotalDHCPv6PktDropped
Shows the total number of DHCPv6 packets
dropped due to DHCPv6 Guard filtering.
Table continues…
December 2017
Configuring Security on VOSS
161
Layer 2 security
Name
Description
RagDeviceRole
Specifies the RA Guard device-role.
RAGuardPolicyName
Specifies the RA Guard policy name associated
with the port.
TotalRAPktRcv
Shows the total number of RA packets received on
the RA Guard enabled interface.
TotalRAPktDropped
Shows the total number of RA packets dropped due
to RA Guard filtering.
NDInspection
Enables or disables Neighbor Discovery (ND)
inspection. The default is disabled.
TotNdPktRcv
Shows the total number of ND packets received on
the RA Guard enabled interface.
TotNdPktDropped
Shows the total number of ND packets dropped due
to RA Guard filtering.
ClearDHCPGuardStats
Clears, if true, the DHCPv6 Guard statistics for the
port.
ClearRAGuardStats
Clears, if true, the RA Guard statistics for the port.
ClearNDInspectStats
Clears, if true, the ND-inspection statistics for the
port.
Deleting port policy mapping
About this task
Use this procedure to delete the created port policy mapping.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Port Policy Mapping tab.
4. Select a row from Port Policy Mapping to delete.
5. Click Delete.
6. Click Apply.
DHCP Snooping configuration using EDM
The following section provides procedures to configure DHCP Snooping using EDM.
December 2017
Configuring Security on VOSS
162
Layer 2 security configuration using the EDM
Enabling DHCP Snooping globally
Use the following procedure to enable DHCP Snooping globally. If DHCP Snooping is globally
disabled, the switch forwards DHCP reply packets (received on trusted or untrusted ports) to all
ports.
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click DHCP Snooping.
3. Click the DHCP Snooping Globals tab.
4. Select Enabled.
5. Click Apply.
DHCP Snooping Globals field descriptions
Use data in the following table to use the DHCP Snooping Globals tab.
Name
Description
Enabled
Enables DHCP Snooping globally. By default, DHCP Snooping is
disabled.
Configuring DHCP Snooping on VLANs
Use the following procedure to configure DHCP Snooping on a specific VLAN. If DHCP Snooping
is globally disabled, the switch forwards DHCP reply packets (received on trusted or untrusted
ports) to all ports.
If you enable DHCP Snooping globally, the agent determines whether to forward DHCP reply
packets based on the DHCP Snooping mode of the VLAN and trusted state of the port.
Note:
You cannot enable DHCP Snooping on Private VLANs (E-Tree) and SPBM B-VLANs.
Before you begin
You must enable DHCP Snooping globally.
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click DHCP Snooping.
3. Click the DHCP Snooping-VLAN tab.
4. In the row for the VLAN, double-click the DhcpSnoopingEnabled field, and select true to
enable DHCP Snooping.
5. Click Apply.
December 2017
Configuring Security on VOSS
163
Layer 2 security
DHCP Snooping-VLAN field descriptions
Use the data in the following table to use the DHCP Snooping-VLAN tab.
Name
Description
VlanId
Specifies the VLAN ID.
DhcpSnoopingEnabled
Specifies if DHCP Snooping is enabled or disabled for the
particular VLAN. By default, DHCP Snooping is disabled.
Configuring trusted and untrusted ports
Use the following procedure to set the trust factor associated with a port for DHCP Snooping. By
default, the trust factor is set to untrusted on all ports.
Note:
For ports that are members of an MLT, DHCP Snooping must be configured using the MLT
configuration mode.
Before you begin
To enable DHCP Snooping on a port, you must enable DHCP Snooping globally.
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click DHCP Snooping.
3. Click the DHCP Snooping-port tab.
4. In the row for the port, double-click the DhcpSnoopingIfTrusted field, and select trusted
or untrusted to set DHCP Snooping.
5. Click Apply.
DHCP Snooping-port field descriptions
Use data in the following table to use the DHCP Snooping-port tab.
Name
Description
Port
Specifies the port on the switch.
DhcpSnoopingIfTrusted
Specifies if the switch ports are trusted for DHCP Snooping. By
default, it is set as untrusted.
DHCP binding configuration
The following section provides procedures to configure the DHCP binding table using EDM.
Creating DHCP binding table entries
Use the following procedure to add entries for devices with static IP addresses to the DHCP
binding table.
December 2017
Configuring Security on VOSS
164
Layer 2 security configuration using the EDM
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
2. Click DHCP Snooping.
3. Click the DHCP Bindings tab.
4. Click Insert.
5. In the VlanId field, enter the VLAN ID.
6. In the MacAddress field, enter the MAC address of the DHCP client.
7. In the AddressType field, select a value.
8. In the Address field, enter the IP address of the DHCP client.
9. In the Interface field, select a port.
10. In the LeaseTime(sec) field, enter the time in seconds.
11. Click Insert.
12. Click Apply.
DHCP Bindings field descriptions
Use data in the following table to use the DHCP Bindings tab.
Name
Description
VlanId
Specifies the VLAN to which the DHCP client belongs.
MacAddress
Specifies the MAC address of the DHCP client.
AddressType
Specifies the type of address. The default address type is IPv4.
Address
Specifies the IP address assigned to the DHCP client.
Interface
Specifies the interface to which the DHCP client connects.
LeaseTime(sec)
Specifies the lease time (in seconds) of the particular DHCP
binding entry. The time range is 0 to 2147483646 seconds.
TimeToExpiry(sec)
Species the time of expiry (in seconds) of the DHCP binding
entry.
EntryType
Specifies the type of the DHCP binding entry.
• If the entry was created through DHCP snooping, the type is
learned(1).
• If the entry was created through a management operation, the
type is static(2).
Viewing DHCP binding information
Use the following procedure to view all entries in the DHCP binding table.
Procedure
1. In the navigation pane, expand the Configuration > IP folders.
December 2017
Configuring Security on VOSS
165
Layer 2 security
2. Click DHCP Snooping.
3. Click the DHCP Bindings tab.
DHCP Bindings field descriptions
Use data in the following table to use the DHCP Bindings tab.
Name
Description
VlanId
Specifies the VLAN to which the DHCP client belongs.
MacAddress
Specifies the MAC address of the DHCP client.
AddressType
Specifies the type of address. The default address type is IPv4.
Address
Specifies the IP address assigned to the DHCP client.
Interface
Specifies the interface to which the DHCP client connects.
LeaseTime(sec)
Specifies the lease time (in seconds) of the particular DHCP
binding entry. The time range is 0 to 2147483646 seconds.
TimeToExpiry(sec)
Species the time of expiry (in seconds) of the DHCP binding
entry.
EntryType
Specifies the type of the DHCP binding entry.
• If the entry was created through DHCP snooping, the type is
learned(1).
• If the entry was created through a management operation, the
type is static(2).
SBT configuration
This configuration allows you to build a snooping binding table (SBT) which contains entries from
only trusted devices or hosts. This SBT table is used to validate Neighbor Discovery (ND) packets.
You can view, create, or delete the entries in the SBT.
Creating an SBT entry
About this task
Use this procedure to create an SBT entry.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Snoop Binding tab.
4. Click Insert.
5. Configure the parameters for the snoop binding.
6. Click Insert.
7. (Optional) Click Refresh to update the results.
December 2017
Configuring Security on VOSS
166
Layer 2 security configuration using the EDM
Snoop Binding field descriptions
Use the data in the following table to use the Snoop Binding tab. A subset of these fields appear if
click Insert.
Name
Description
VlanId
Specify the VLAN to which the snooped entry
belongs.
Ipv6Address
Enter the IPv6 address assigned to the IPv6 host.
MacAddress
Enter the MAC address of the snooped entry.
InterfaceIndex
Specify the interface on which the entry is learnt.
EntryType
Indicates the type of entry - static (1) or dynamic
(2).
EntrySource
Indicates the method entry was learnt from - static
(1) or dhcp (2).
ValidTime
Indicates the valid time for the snooped entry.
TimeToExpiry
Indicates the time to expiry of the snooped entry.
Viewing SBT entries
About this task
Use this procedure to display a configured SBT table.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Snoop Binding tab.
Snoop Binding field descriptions
Use the data in the following table to use the Snoop Binding tab. A subset of these fields appear if
click Insert.
Name
Description
VlanId
Specify the VLAN to which the snooped entry
belongs.
Ipv6Address
Enter the IPv6 address assigned to the IPv6 host.
MacAddress
Enter the MAC address of the snooped entry.
InterfaceIndex
Specify the interface on which the entry is learnt.
EntryType
Indicates the type of entry - static (1) or dynamic
(2).
EntrySource
Indicates the method entry was learnt from - static
(1) or dhcp (2).
Table continues…
December 2017
Configuring Security on VOSS
167
Layer 2 security
Name
Description
ValidTime
Indicates the valid time for the snooped entry.
TimeToExpiry
Indicates the time to expiry of the snooped entry.
Deleting an SBT entry
About this task
Use this procedure to delete an entry from the SBT table.
Procedure
1. In the navigation pane, expand the following folders: Configuration > IPv6.
2. Click FHS.
3. Click the Snoop Binding tab.
4. Select a row from the list to delete.
5. Click Delete.
IP Source Guard configuration using the EDM
The following sections provide procedural information you can use to configure IP Source Guard
(IPSG) on a port, using the Enterprise Device Manager (EDM).
Note:
The switch supports configuration of IP Source Guard for both IPv4 and IPv6 addresses.
Enabling IP Source Guard on a port for IPv4 addresses
About this task
Enable IP Source Guard (IPSG) to add a higher level of security to a desired port by preventing IP
spoofing. When you enable IPSG on the interface, filters are installed for IPv4 addresses that are
already learned on that interface.
Before you begin
Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise,
the system displays error messages.
• DHCP Snooping is enabled globally.
• The port on which you want to enable IPSG is a member of a VLAN that is configured with
both DHCP Snooping and Dynamic ARP Inspection.
• The port is an untrusted port enabled with both DHCP Snooping and Dynamic ARP
Inspection.
• The port has enough resources allocated to support the maximum number of 10 IP
addresses allowed for IPSG.
December 2017
Configuring Security on VOSS
168
Layer 2 security configuration using the EDM
Procedure
1. In the navigation tree, expand the following folders: Configuration > IP.
2. Click Source Guard.
3. Click the IP Source Guard-port tab.
4. Double-click the Mode field
5. Select ip from the list, to enable IPSG.
6. Repeat the steps above to configure IPSG on additional ports.
7. Click Apply to save your changes.
8. Click Refresh to update the IP Source Guard-port tab.
IP Source Guard-port field descriptions
Use the data in the following table to use the IP Source Guard-port tab.
Name
Description
Port
Identifies the port on which to enable IPSG.
Mode
Displays whether IPSG is enabled on the port.
The default is disabled.
Viewing IPv4 address bindings
View the IPv4 address bindings that IPSG allows.
Procedure
1. In the navigation tree, expand the following folders: Configuration > IP.
2. Click Source Guard.
3. Click the IP Source Guard-addresses tab.
IP Source Guard-addresses field descriptions
Use the data in the following table to use the IP Source Guard-addresses tab.
Field
Description
Port
Indicates the port on which IPSG is configured.
Type
Indicates the address type.
Address
Indicates the IPv4 address that is allowed by IPSG
on the port.
Source
Indicates the source of the IPv4 address, which is
DHCP Snooping.
December 2017
Configuring Security on VOSS
169
Layer 2 security
Configuring IP Source Guard on a port for IPv6 addresses
About this task
Enable IPSG to add a higher level of security to a desired port, by preventing IP spoofing. When
you enable IPSG on an interface, filters are automatically installed for the IPv6 addresses that are
already learned on that interface.
Before you begin
Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise,
the system displays error messages.
• DHCP Snooping is enabled globally.
• The port is a member of a VLAN that is configured with both DHCP Snooping and IPv6
Neighbor Discovery inspection.
• The port is an untrusted port enabled with both DHCP Snooping and IPv6 Neighbor
Discovery inspection.
• The port has enough resources allocated to support the maximum number of 10 IP
addresses allowed for IPSG.
Procedure
1. In the navigation tree, expand the following folders: Configuration > IPv6.
2. Click IPv6.
3. Click the Source Guard tab.
4. Double-click the InterfaceState field.
5. Select a value from the list: true or false.
6. Double-click the MaxAddr field.
7. Enter the maximum number of IPv6 addresses that are allowed to transmit data on the
port.
8. (Optional) To clear the overflow counters, double-click ClearOverflowCount and select
true.
9. Click Apply to save your changes.
10. Click Refresh to update the Source Guard tab.
Source Guard field descriptions
Use the data in the following table to use the Source Guard tab.
Name
Description
IfIndex
Specifies a value that uniquely identifies the port.
InterfaceState
Specifies the state of the interface. The default
value is false.
Table continues…
December 2017
Configuring Security on VOSS
170
Layer 2 security example scenarios
Name
Description
MaxAddr
Specifies the maximum number of IPv6 addresses
allowed to transmit data through the port. The
default value is 4.
Note:
To reset the value to default, IPSG must first
be disabled on the interface.
OverflowCount
Specifies the number of IPv6 addresses for which
filters are not added on the IPSG port, due to a lack
of filter resources.
The default value is 0.
ClearOverflowCount
Specifies whether the overflow counter must be
cleared. By default, the value is false.
Viewing IPv6 address bindings
View the IPv6 address bindings that IPSG allows.
Procedure
1. In the navigation tree, expand the following folders: Configuration > IPv6.
2. Click IPv6.
3. Click the Source Guard Binding tab.
Source Guard Binding field descriptions
Use the data in the following table to use the Source Guard Binding tab.
Field
Description
IfIndex
Specifies a value that uniquely identifies the port.
IPv6Addr
Specifies the binding entry for the IPv6 address.
Layer 2 security example scenarios
The following sections describe configuration examples to configure Layer 2 security features for
IPv4 and IPv6 deployments.
FHS deployment scenario
In the following example, the Layer 2 switch “SW-1” is connected to another Layer 2 switch
“SW-2”, two hosts and a DHCP server. Switch “SW-2” is connected to two other hosts and a
router. Out of the two hosts connected to SW-2, one is a malicious host, which can generate
December 2017
Configuring Security on VOSS
171
Layer 2 security
bogus RA packets to advertise route prefix, and can also generate bogus DHCP reply packets to
configure wrong IPv6 address or wrong default gateway. By doing this, it tries denial-of-service or
Man-in-the-Middle attacks. These attacks must be prevented as it affects all the nodes present in
the Layer 2 network and FHS can be effective in preventing these attacks.
These attacks can spread over the entire Layer 2 network and thus can affect the hosts connected
to SW-2 as well as the hosts connected to SW-1. If you enable FHS only on SW-2, then it could
only save the nodes which are directly connected to it. To prevent the good node connected to
SW-1 from these attacks, the SW-1 switch also should be FHS enabled.
The following figure shows the FHS deployment scenario topology.
Figure 11: FHS deployment topology
By default, all the ports are trusted, until you configure DHCPv6 Guard or RA Guard policies.
See the following procedures to configure FHS RA Guard and DHCPv6 Guard for the preceding
topology.
Creating FHS IPv6 ACL
About this task
Filter IPv6 traffic by creating IPv6 Access Control Lists (ACLs) and applying them to the interfaces
similar to the way that you create and apply IPv4 named ACLs.
December 2017
Configuring Security on VOSS
172
Layer 2 security example scenarios
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an IP ACL name (ipv6_acl_1) to match the source IPv6 address of the router
connected to the interface.
ipv6 fhs ipv6-access-list ipv6_acl_1
fe80:0:0:0:cef9:54ff:feb4:9481/128 mode allow
3. Create an IP ACL name (ipv6_acl_1) to match the source IPv6 address of the DHCPv6server connected to the interface.
ipv6 fhs ipv6-access-list ipv6_acl_1
fe80:0:0:0:cef9:54ff:feb4:9481/128 mode allow
Next steps
Create a First Hop Security MAC ACL.
Creating an FHS MAC ACL
About this task
Filter the IPv6 traffic by creating a MAC access list with the ACL mode.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a MAC ACL name (rtr_smac) to match the source MAC of the router connected to
the interface 1/2.
ipv6 fhs mac-access-list mac_acl_1 00:11:22:33:44:66 mode allow
Creating a DHCPv6 Guard policy for the router
About this task
Create a DHCPv6 Guard policy to provide Layer 2 security to DHCPv6 clients by protecting them
against rogue DHCPv6 servers.
Procedure
1. Enter Global Configuration mode:
December 2017
Configuring Security on VOSS
173
Layer 2 security
enable
configure terminal
2. Enter DHCP Guard mode with the DHCPv6 Guard policy name (dhcpv6g_pol_1). The
DHCPv6 Guard policy for the interface is connected to a router.
ipv6 fhs dhcp-guard policy dhcpv6g_pol_1
3. Configure the source IPv6 access list to allow only a DHCPv6 server replies that originate
from the IPv6 address fe80:0:0:0:cef9:54ff:feb4:9481/128 and check the preceding IPv6
ACL configuration for ipv6_acl_1 list.
match server access-list ipv6_acl_1
4. Verify the prefixes sent in the DHCPv6 server reply message so that the ipv6_acl_2 IPv6
ACL configuration allows only the prefix 1000::1/64.
match reply prefix-list ipv6_acl_1
Creating an RA Guard policy for the router
About this task
Create an rag_pol_1 RA Guard policy for the router and configure the source IPv6 access list to
allow only the RA packets that originate from the source IPv6 address
fe80:0:0:0:cef9:54ff:feb4:9481/128. This configuration verifies the prefixes sent in the RA
packets.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enter the RA Guard mode and configure RA Guard policy (rag_pol_1) for the interface
connected to a router.
ipv6 fhs ra-guard policy rag_pol_1
3. Configure the source IPv6 access list to allow only RA packets originating from the source
IPv6 address fe80:0:0:0:cef9:54ff:feb4:9481/128.
match ipv6 ra-srcaddr-list ipv6_acl_1
4. Verify the prefixes sent in the RA packets so that the rtr_pip IPv6 ACL configuration allows
only the prefix 60::0/64.
match reply ra-prefix-list ipv6_acl_1
December 2017
Configuring Security on VOSS
174
Layer 2 security example scenarios
Attaching FHS policies to the interfaces
About this task
Attach the FHS policies to the interfaces.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure DHCPv6 Guard and RA Guard policies on the interface (1/2) that connects to
the router.
interface ethernet 1/2
ipv6 dhcp-guard attach-policy dhcpv6g_pol_1
ipv6 ra-guard attach-policy rag_pol_1
IPv6 DHCP Snooping and ND Inspection configuration example
This section shows examples of IPv6 DHCP snooping and ND inspection configuration.
Enable DHCPv6 Guard, ND inspection, and First Hop Security.
ipv6 fhs dhcp-guard enable
ipv6 fhs nd-inspection enable
ipv6 fhs enable
Create VLAN 1000 and add port members.
vlan create 1000 type port-mstprstp 0
vlan members add 1000 1/1-1/10
Enable DHCPv6 snooping and ND inspection on VLAN 1000.
interface vlan 1000
ipv6 fhs snooping dhcp enable
ipv6 fhs nd-inspection enable
exit
Add static SBT entry.
ipv6 fhs snooping static-binding ipv6-address 2001:DB8:0:0:0001:02ff:fe03:0405 vlan
1000 mac-address 00:01:02:03:04:05 port 1/5
Set the DHCPv6 Guard device-role on port 1/1 of the device on which DHCPv6 Guard is
configured.
interface gigabitEthernet 1/1
ipv6 fhs dhcp-guard device-role server
December 2017
Configuring Security on VOSS
175
Layer 2 security
exit
Enable ND inspection on ports 1/2 through 1/10.
interface gigabitEthernet 1/2-1/10
ipv6 fhs nd-inspection enable
exit
View the status.
show
show
show
show
ipv6
ipv6
ipv6
ipv6
fhs
fhs
fhs
fhs
port-policy
status
status vlan
snooping binding
Configuring IP Source Guard
The following section describes a simple configuration example to configure IP Source Guard
(IPSG) on a port.
When you enable IPSG on a port, filters are installed for the IPv4 or IPv6 addresses that are
already learned on that port.
Procedure
Enable DHCP Snooping globally on the switch and verify the configuration.
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable DHCP Snooping globally.
ip dhcp-snooping enable
3. Verify the configuration.
show ip dhcp-snooping
Enable DHCP Snooping and Dynamic ARP Inspection on the VLAN that the port is a member
of.
4. Enter VLAN Interface Configuration mode:
enable
configure terminal
interface vlan <1–4059>
5. Enable DHCP Snooping on the VLAN.
ip dhcp-snooping enable
6. Verify the configuration.
December 2017
Configuring Security on VOSS
176
Layer 2 security example scenarios
show ip dhcp-snooping vlan <1-4059>
7. Enable Dynamic ARP Inspection on the VLAN.
ip arp-inspection enable
8. Verify the configuration.
show ip arp-inspection vlan <1-4059>
9. Verify that the port on which you want to configure IPSG is a DHCP Snooping and a
Dynamic ARP Inspection untrusted port.
show ip dhcp-snooping interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
show ip arp-inspection interface gigabitEthernet [{slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
Configure IPSG on a port and verify the configuration.
10. Perform one of the following steps to configure IPSG on a port, for IPv4 or IPv6 addresses.
• Enable and verify IPSG on a port for IPv4 addresses:
a. ip source verify enable
b. show ip source verify interface gigabitethernet [{slot/port[/
sub-port] [-slot/port[/sub-port]] [,...]}]
• Enable and verify IPSG on a port for IPv6 addresses:
a. ipv6 source-guard enable
b. ipv6 source-guard [max-allowed-addr <2-10>]
Note:
The default value is 4. To reset the value to default, IPSG must first be disabled
on the interface.
c. show ipv6 source-guard interface gigabitEthernet [{slot/
port[/sub-port] [-slot/port[/sub-port]] [,...]}]
Example
The following example describes how to enable IPSG on port 4/5 which is a member of VLAN 10,
for IPv4 or IPv6 addresses.
Switch:1>en
Switch:1#configure terminal
Enter configuration commands, one per line.
Switch:1(config)#
End with CNTL/Z.
Enable DHCP Snooping globally and verify the configuration.
Switch:1(config)#ip dhcp-snooping enable
Switch:1(config)#show ip dhcp-snooping
=================================================================================
Dhcp Snooping General Info
=================================================================================
Dhcp Snooping
: Enabled
December 2017
Configuring Security on VOSS
177
Layer 2 security
---------------------------------------------------------------------------------
Enable DHCP Snooping and Dynamic ARP Inspection on a VLAN that the port is a member of.
Switch:1(config)#interface vlan 10
Switch:1(config-if)#show ip dhcp-snooping vlan 10
==================================================================================
Dhcp Snooping Vlan Info
==================================================================================
VLAN
VRF
ID
NAME
ENABLE
---------------------------------------------------------------------------------10
GlobalRouter
true
---------------------------------------------------------------------------------All 1 out of 1 Total Num of Dhcp Snooping entries displayed
Switch:1(config-if)#ip arp-inspection enable
Switch:1(config-if)#show ip arp-inspection vlan 10
==================================================================================
Arp Inspection Vlan Info
==================================================================================
VLAN
VRF
ID
NAME
ENABLE
---------------------------------------------------------------------------------10
GlobalRouter
true
---------------------------------------------------------------------------------All 1 out of 1 Total Num of Arp Inspection entries displayed
Verify that the port is DHCP Snooping and Dynamic ARP Inspection untrusted.
Switch:1(config-if)#show ip dhcp-snooping interface gigabitEthernet 4/5
================================================================================
Dhcp Snooping Interface Info
================================================================================
PORT
PORT
TRUNK
NUM
CLASS
ID
-------------------------------------------------------------------------------4/5
UNTRUSTED
none
-------------------------------------------------------------------------------All 1 out of 1 Total Num of Dhcp Snooping entries displayed
Switch:1(config-if)#show ip arp-inspection interface gigabitEthernet 4/5
===================================================================================
Arp Inspection Port Info
===================================================================================
PORT
PORT
TRUNK
NUM
CLASS
ID
----------------------------------------------------------------------------------4/5
UNTRUSTED
none
----------------------------------------------------------------------------------All 1 out of 1 Total Num of Arp Inspection entries displayed
Enable IPSG on port 4/5 for IPv4 addresses, and verify the configuration. This port is a member of
VLAN 10.
Switch:1(config-if)#ip source verify enable
Switch:1(config-if)#show ip source verify interface gigabitethernet 4/5
December 2017
Configuring Security on VOSS
178
Layer 2 security example scenarios
===================================================================================
Source Guard Port Info
===================================================================================
PORT
NUM
ENABLE
----------------------------------------------------------------------------------4/5
true
----------------------------------------------------------------------------------All 1 out of 1 Total Num of Ip Source Guard entries displayed
Enable IPSG on port 4/1 for IPv6 addresses, and verify the configuration. This port is a member of
VLAN 10.
Switch:1(config-if)#ipv6 source-guard enable
Switch:1(config-if)#ipv6 source-guard max-allowed-addr 10
Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 4/1
Slot/Port Source Guard Number of IPv6 Address
Mode
address allowed overflow count
==========================================================
4/1
Enabled
10
0
December 2017
Configuring Security on VOSS
179
Chapter 5: Extensible Authentication
Protocol over LAN
The following sections describe Extensible Authentication Protocol over LAN (EAPoL) and its
configuration.
EAPOL fundamentals
Extensible Authentication Protocol over LAN (EAPoL or EAP) is a port-based network access
control protocol. EAP provides security by preventing users from accessing network resources
before they are authenticated. The EAP authentication feature prevents users from accessing a
network to assume a valid identity and access confidential material or launch denial-of-service
attacks.
You can use EAP to set up network access control on internal LANs and to exchange
authentication information between an end station or server that connects to a switch and an
authentication server (such as a RADIUS server). This security feature extends the benefits of
remote authentication to internal LAN clients. For example, if a new client PC fails the
authentication process, EAP prevents the new client PC from accessing the network.
EAP terminology
This section lists some components and terms used with EAP-based security.
• Supplicant—a device, such as a PC, that applies for access to the network.
• Authenticator—software on a switch that authorizes or rejects a Supplicant attached to the
other end of a LAN segment.
- Port Access Entity (PAE)—software that controls each port on the device. The PAE, which
resides on the switch, supports the Authenticator functionality.
- Controlled Port—any port on the device with EAP enabled.
• Authentication Server—a RADIUS server that provides AAA services to the authenticator.
December 2017
Configuring Security on VOSS
180
EAP configuration
EAP configuration
EAP configuration considerations
This section lists EAP configuration considerations.
• You must configure at least one EAP RADIUS server and shared secret fields.
• You cannot configure EAP on ports that are currently configured for the following:
- Shared segments
- MultiLink Trunking
• Change the authentication status to auto for each port that you want to control. The auto
setting automatically authenticates the port according to the results of the RADIUS server.
The default authentication setting for each port is authorized.
• When multiple clients are authenticated on the same port, the priority of the latest incoming
client is applied on the port, and this priority is retained until all the clients log out on that port.
Configuration process
The Authenticator facilitates the authentication exchanges that occur between the Supplicant and
the Authentication Server. The Authenticator PORT ACCESS ENTITY (PAE) encapsulates the
EAP message into a RADIUS packet, and then sends the packet to the Authentication Server.
The Authenticator manages the access to controlled port. At system initialization, or when a
Supplicant initially connects to one of the controlled ports on the device, the system blocks data
traffic of the Supplicant until gets authenticated. After the Authentication Server notifies the
Authenticator PAE about the success or failure of the authentication, the Authenticator decides
whether to permit/deny the traffic of client on controlled port.
non-EAPoL (NEAP) frames transmit according to the following rules:
• If authentication succeeds, the client blocked from accessing is allowed to the controlled port,
which means the system allows all the incoming and outgoing traffic from that client through
the port.
• If authentication fails, client is blocked from accessing, which means both incoming and
outgoing traffic is not allowed to client.
The following figure illustrates how the switch, configured with EAP, reacts to a new network
connection.
December 2017
Configuring Security on VOSS
181
Extensible Authentication Protocol over LAN
Figure 12: EAP configuration example
In the preceding figure, the switch uses the following steps to authenticate a new client:
1. The switch detects a new connection on one of its EAP-enabled ports and requests a user
ID from the new client PC.
2. The new client sends its user ID to the switch.
3. The switch uses RADIUS to forward the user ID to the RADIUS server.
4. The RADIUS server responds with a request for the password of the user.
5. The switch forwards the request from the RADIUS server to the new client.
6. The new client sends an encrypted password to the switch, within the EAP packet.
7. The switch forwards the EAP packet to the RADIUS server.
8. The RADIUS server authenticates the password.
9. The switch grants the new client access to the network.
10. The new client accesses the network.
If the RADIUS server cannot authenticate the new client, it denies the new client access to the
network.
The following figure shows the Ethernet frames and the corresponding codes for EAP as specified
by 802.1x.
December 2017
Configuring Security on VOSS
182
EAP configuration
Figure 13: 802.1x Ethernet frame
The following figure shows the flow diagram for EAP on a switch.
December 2017
Configuring Security on VOSS
183
Extensible Authentication Protocol over LAN
Figure 14: EAP flow diagram
December 2017
Configuring Security on VOSS
184
EAP system requirements
EAP system requirements
The following are the minimum system requirements for EAP:
• RADIUS server
• Client software that supports EAP
You must specify the RADIUS server that supports EAP as the primary RADIUS server for the
switch. You must configure your switch for VLANs and EAP security.
If you configure EAP on a port, the following limitations apply:
• You cannot enable EAP on ports that belong to an MLT group.
• You cannot add EAP-enabled ports to an MLT group.
• You can configure a total of 32 MAC clients, EAP and NEAP hosts, on an EAP-enabled port.
Two MAC clients per port is a typical configuration.
• You cannot configure EAP on MLT/LACP interfaces.
• You cannot add EAP-enabled ports to an MLT/LACP group.
• You cannot enable VLACP on EAP enabled ports.
• Manual VLAN changes on a EAP enabled port is restricted.
• You cannot change the VLAN port tagging on EAP enabled ports.
• You cannot configure the default VLAN ID. Use the Guest VLAN configuration to access
unauthenticated devices.
• You cannot enable MACsec on EAP enabled ports.
• You cannot enable EAP on NNI interfaces.
• You cannot egress mirror an EAP PDU.
• Do not use EAP with a brouter port.
• Ping to and from services between nodes over the NNI will work even when it contains only
EAP enabled ports with no authenticated clients on it.
• MHSA and Fail Open VLAN are mutually exclusive.
• You cannot change the EAP operation mode on EAP enabled ports.
• You cannot configure private VLANs as Fail Open VLAN or Guest VLAN.
• You cannot configure spbm-BVLAN as Fail Open VLAN or Guest VLAN.
• You cannot enable EAP on an IP Source Guard enabled port.
• You cannot delete a VLAN if the VLAN is configured as Fail Open VLAN or Guest VLAN.
• You cannot configure DHCP-Snooping enabled VLAN as Guest VLAN or Fail Open VLAN.
• You cannot configure DHCP-Snooping on VLANs used by EAP (Initial VLAN, Radius
assigned VLAN, Guest VLAN, and Fail Open VLAN).
• You cannot configure EAP on a port member of DHCP-Snooping enabled VLAN.
December 2017
Configuring Security on VOSS
185
Extensible Authentication Protocol over LAN
EAP dynamic VLAN assignment
If you configure a RADIUS server to send a VLAN ID in the Access-Accept response, the EAP
feature dynamically changes the VLAN configuration of the port by adding the port to the specified
VLAN.
EAP dynamic VLAN assignment affects the following VLAN configuration values:
• Port membership
• Port priority
• Default VLAN ID
When you disable EAP on a port that was previously authorized, VLAN configuration values for
that port are restored directly from the nonvolatile random access memory (NVRAM) of the device.
You can set up your Authentication Server (RADIUS server) for EAP dynamic VLAN assignments.
You can use the Authentication Server to configure user-specific settings for VLAN memberships
and port priority.
When you log on to a system that is configured for EAP authentication, the Authentication Server
recognizes your user ID and notifies the device to assign preconfigured (user-specific) VLAN
membership and port priorities to the device. The configuration settings are based on
configuration parameters that were customized for your user ID and previously stored on the
Authentication Server.
Note:
Static entries like IGMP, ARP, FDB configured on a port of an VLAN interface, will not be
retained if the port is assigned a same VLAN by the RADIUS server and the client
authenticated on the port gets disconnected or unauthenticated.
Multiple Host Multiple VLAN (MHMV)
With the MHMV feature, you can assign multiple authenticated devices to different VLANs on the
same EAP-enabled port using device MAC addresses. Using RADIUS VLAN attributes, different
clients can access different VLANS. This separates traffic for different MAC clients.
Enhanced MHMV:
Use enhanced MHMV to assign multiple authenticated devices to different VLANs on the same
port. Clients can access different VLANs access using the MAC address of the devices. Different
clients with different level of access (unauthorized to authorized) in different VLANs can exist on
the same port.
With enhanced MHMV, EAP Multihost VLAN supports tagged and untagged ports. A port can be a
member of multiple tagged and untagged VLANs.
In MHMV mode, MAC based VLANs support traffic separation between different authenticated
MAC clients. MAC based VLAN traffic separation applies only to untagged VLAN traffic. If the data
traffic is tagged and if VLAN is configured on the port, then the traffic is forwarded to the VLAN
associated with the tag.
December 2017
Configuring Security on VOSS
186
EAP dynamic VLAN assignment
MHMV usage scenario
The following example illustrates the usage scenario for a MHMV port with n unauthenticated
clients:
• Clients (n) connect to a switch port. The maximum number of clients (EAP + NEAP) allowed
on a port is 32.
• EAP is enabled and the default operation mode is MHMV.
• Modify client counters to authenticate n clients.
• Initial VLANs are the VLANS which are manually set up before EAP is enabled.
• Port default VLAN ID is equal to one of the initial VLAN ID.
• All clients are unauthenticated, hence the clients cannot access the network.
The following figure represents the functionality when clients are not authenticated.
Note:
The clients cannot access the network as they are not authenticated.
When client PC1 authenticates, there are two scenarios:
1. Client PC1 does not receive RADIUS VLAN attribute:
• There are no changes to the port membership and port default VLAN ID.
• PC1 is the only client that is allowed access to the initial VLANs.
December 2017
Configuring Security on VOSS
187
Extensible Authentication Protocol over LAN
• A VLAN MAC rule is added that associates the MAC with the default VLAN ID.
• If the VLAN is configured on the port, then the tagged traffic from PC1 is forwarded to
the VLAN associated with the tag.
• Untagged traffic from PC1 is forwarded to the port default VLAN.
2. Client PC1 receives RADIUS VLAN attribute:
• The port is left in all initial VLANs and added to the VLAN corresponding to the RADIUS
VLAN attribute.
• Port default VLAN remains unchanged.
• A VLAN MAC based rule is configured for client PC1.
• Using the VLAN MAC based capabilities, the untagged traffic from PC1 goes to the
RADIUS assigned VLAN 1 as shown in the figure below.
• Client PC1 can access all initial VLANs using tagged frames.
• The remaining clients stay unauthenticated and cannot access any VLANs.
The following figure represents the functionality when client PC1 authenticates.
Note:
PC1 is authenticated with RADIUS VLAN 1. The other clients cannot access the network as
they are unauthenticated.
December 2017
Configuring Security on VOSS
188
Traffic forwarding on EAP enabled port
When a client disconnects the following happens:
• The MAC VLAN rule is removed from the switch.
• If the RADIUS VLAN attribute was used with the client was authenticated and no other clients
are authenticated on that RADIUS VLAN, then the port is removed from the VLAN. If other
clients are authenticated on that RADIUS VLAN, then the VLAN MAC rule is deleted.
• If RADIUS VLAN attribute is not used when the client is authenticated, then only the VLAN
MAC rule is deleted.
Traffic forwarding on EAP enabled port
The following table summarizes how tagged and untagged traffic is forwarded on EAP enabled
port after successful authentication.
Porttagging
Untagged
Untagged
Tagged
Tagged
Tagged
EAP client Authenticated
authenticat
RAV assigned
ion or
authorizati
on status
Authentication
failure
Authenticated
Authenticated
No RAV
assigned
RAV assigned
Authentication
failure
Ingress
untagged
traffic
Classified into
RAV
Drop
Classified into
port default
VLAN
Classified into
RAV
Drop
Ingress
tagged
with RAV
Drop
Drop
If configured,
then classified
into the TAG on
the packet
Classified into
RAV
Drop
Ingress
tagged
(not RAV),
VLAN not
configured
on the port
Drop
Drop
Drop
Drop
Drop
Ingress
tagged
(not RAV),
VLAN
configured
on the port
Drop
Drop
Classified into
TAG VLAN since
VLAN is
configured on
the port
Classified into
Drop
TAG VLAN since
VLAN is
configured on
the port
Drop till the first
MAC client is
authenticated
Untagged traffic
sent out of port
Untagged traffic
sent out of port
Egress
Untagged traffic
traffic (RAV sent out of port
or
configured
Drop till the first
MAC client is
authenticated
Table continues…
December 2017
Configuring Security on VOSS
189
Extensible Authentication Protocol over LAN
Porttagging
VLANs on
port)
Untagged
Untagged
Tagged
Tagged
Tagged
RADIUS-assigned VLAN
RADIUS-assigned VLAN gives you greater flexibility and a more centralized assignment. This
allows the RADIUS server to dynamically assign VLANs to a port.
RADIUS return attributes supported for EAP
The switch uses the RADIUS tunnel attributes to place a port into a particular VLAN to support
dynamic VLAN switching based on authentication.
The RADIUS server indicates the desired VLAN by including the tunnel attribute within the
Access-Accept message. RADIUS uses the following tunnel attributes:
• Tunnel-Type = VLAN (13)
• Tunnel-Medium-Type = 802
• Tunnel-Private-Group-ID = VLAN ID
The VLAN ID is 12 bits, uses a value from <1-4059>, and is encoded as a string.
In addition, you can set up the RADIUS server to send a vendor-specific attribute to configure port
priority. You can assign the switch Supplicant port a QoS value from 0 to 6.
The following figure shows the RADIUS vendor-specific frame format.
Figure 15: RADIUS vendor-specific frame format
The following list provides the switch Port Priority frame format:
• vendor specific type = 26
• length = 12
• vendor-id = 1584, 562
• string = vendor type = 1 + vendor length = 6 + attribute specific = priority
The following figure shows an example of the port priority frame format.
Figure 16: Port priority frame format
December 2017
Configuring Security on VOSS
190
RADIUS-assigned VLAN
RADIUS configuration prerequisites for EAP
Connect the RADIUS server to a force-authorized port. This ensures that the port is always
available and not tied to whether or not the device is EAP-enabled. To set up the Authentication
Server, set the following Return List attributes for all user configurations (for more information, see
your Authentication Server documentation):
• VLAN membership attributes
- Tunnel-Type: value 13, Tunnel-Type-VLAN
- Tunnel-Medium-Type: value 6, Tunnel-Medium-Type-802
- Tunnel-Private-Group-ID: ASCII value 1 to 4059 (this value identifies the specified VLAN)
• Port priority (vendor-specific) attributes
- Vendor ID: value 562, Avaya Vendor ID and value 1584, Bay Networks Vendor ID
- Attribute Number: value 1, Port Priority
- Attribute Value: value 0 (zero) to 6 (this value indicates the port priority value assigned to
the specified user)
Important:
You need to configure these attributes only if you require Dynamic VLAN membership or
Dynamic Port priority.
RADIUS accounting for EAP
The switch provides the ability to account EAP and NEAP sessions using the RADIUS accounting
protocol. A user session is defined as the interval between the instance at which a user is
successfully authenticated (port moves to authorized state) and the instance at which the port
moves out of the authorized state.
The following table summarizes the accounting events and information logged.
Table 6: Summary of accounting events and information logged
Event
Radius attributes
Description
User is authenticated by EAP
Acct-Status-Type
Start
Nas-IP-Address
IP address to represent the switch
Nas-Port
Port number on which the user is
EAP or NEAP authorized
Acct-Session-ID
Unique string representing the
session
User-Name
EAP user name or NEAP MAC
Acct-Status-Type
Stop
Nas-IP-Address
IP address to represent the switch
Nas-Port
Port number on which the user is
EAP or NEAP unauthorized
User logs off
Table continues…
December 2017
Configuring Security on VOSS
191
Extensible Authentication Protocol over LAN
Event
Radius attributes
Description
Acct-Session-ID
Unique string representing the
session
User-Name
EAP user name
Acct-Input-Octets
Number of octets input to the port
during the session
Acct-Output-Octets
Number of octets output to the port
during the session
Acct-Terminate-Cause
Reason for terminating user
session. For more information about
the mapping of 802.1x session
termination cause to RADIUS
accounting attribute, see the
following table.
Acct-Session-Time
Session interval
The following table describes the mapping of the causes of 802.1x session terminations to the
corresponding RADIUS accounting attributes.
Table 7: 802.1x session termination mapping
IEEE 802.1Xdot1xAuthSessionTerminateCause Value
RADIUSAcct-Terminate-Cause Value
supplicantLogoff(1)
User Request (1)
portFailure(2)
Lost Carrier (2)
supplicantRestart(3)
Supplicant Restart (19)
reauthFailed(4)
Reauthentication Failure (20)
authControlForceUnauth(5)
Admin Reset (6)
portReInit(6)
Port Reinitialized (21)
portAdminDisabled(7)
Port Administratively Disabled (22)
notTerminatedYet(999)
—
NEAP host
NEAP hosts on EAP-enabled ports
For an EAP-enabled port configured for NEAP host support, devices with MAC addresses getting
authenticated are allowed access to the port.
The switch allows the following types of NEAP users:
• NEAP hosts whose MAC addresses are authenticated by RADIUS.
Support for NEAP hosts on EAP-enabled ports is primarily intended to accommodate printers and
other passive devices sharing a hub with EAP clients.
December 2017
Configuring Security on VOSS
192
NEAP host
Support for NEAP hosts on EAP-enabled ports includes the following features:
• Authenticated NEAP clients are hosts that satisfy one of the following criteria:
- Host MAC address is authenticated by RADIUS.
• NEAP hosts are allowed even if no authenticated EAP hosts exist on the port.
• When a new host is seen on the port, NEAP authentication is performed as follows:
- The switch generates a <username, password> pair, which it forwards to the network
RADIUS server for authentication.
NEAP MAC RADIUS authentication
For RADIUS authentication of a NEAP host MAC address, the switch generates a <username,
password> pair as follows:
• The username is the NEAP MAC address in string format.
• The password is a string that combines the switch IP address, MAC address, port number
and user-configurable key string. If padding option is enabled, the system will specify a dot(.)
for every missing parameter. IP address is represented by three decimal characters per octet.
Important:
Follow these Global Configuration examples to select a password format that combines one or
more of these three elements:
• Padding enabled , password = 010010011253..05. (when the switch IP address and port
are used).
• Padding enabled, password = 010010011253… (when only the switch IP address is
used).
• No padding (default option). Password = 000011220001 (when only the user’s MAC
address is used).
The following example illustrates the <username, password> pair format with no padding enabled
and using the IP address, MAC address, and key-string as the password.
switch IP address = 192.0.2.5
non-EAP host MAC address = 00 C0 C1 C2 C3 C4
port = 25
Key-String = abcdef
• username = 00C0C1C2C3C4
• password = 010010011253.00C0C1C2C3C4.25.abcdef
Use the command show eapol system to verify the formatting.
Switch:1(config)#show eapol system
================================================================================
Eapol System
================================================================================
eap : enabled
non-eap-pwd-fmt : ip-addr.mac-address.abcdef
non-eap-pwd-fmt key : abcdef
non-eap-pwd-fmt padding : disabled
December 2017
Configuring Security on VOSS
193
Extensible Authentication Protocol over LAN
NEAP client
NEAP client re-authentication
The NEAP client re-authentication feature supports the re-authentication of NEAP clients at
defined intervals.
When you enable NEAP client re-authentication, an authenticated NEAP client is only removed
from the authenticated client list if you remove the client account from the RADIUS server, or if you
clear the NEAP authenticated client from the switch.
If an authenticated NEAP client does not generate traffic on the network, the system removes the
MAC address for that client from the MAC address table when MAC ages out. Although the client
MAC address does not appear in the MAC Address table, the client can appear as an
authenticated client.
If you enable NEAP client re-authentication and the RADIUS server that the switch connects to
becomes unavailable, the system clears all authenticated NEAP and removes those clients from
the switch NEAP client list.
You cannot authenticate one NEAP client on more than one switch port simultaneously. If you
connect NEAP clients to a switch port through a hub, those clients are authenticated on that
switch port. If you disconnect a NEAP client from the hub and connect it directly to another switch
port, the client is authenticated on the new port and its authentication is removed from the port to
which the hub is connected.
MAC move for authenticated Non-EAP clients
When you move a Non-EAP client that is authenticated on a specific port, to another port on which
EAPoL or Non-EAP is enabled, MAC move of the client to the new port does not automatically
happen. This is as designed.
As a workaround, do one of the following:
• Clear the non-EAP session on the port that the client is first authenticated on, before you
move the client to another port.
• Create a VLAN on the switch with the same VLAN ID as that dynamically assigned by the
RADIUS server during client authentication. Use the command vlan create <2-4059>
type port-mstprstp <0–63>. Ensure that the new port is a member of this VLAN.
EAP and NEAP limitations
The EAP and NEAP MAC clients on port limits the maximum number of all EAP and NEAP clients
per port. EAP and NEAP MAC clients on port enhancements independently limits the EAP and
NEAP clients per port. The following enhancements are added:
• EAP-MAC-MAX : Limits the total number of EAP clients
• NON-EAP-MAC-MAX: Limits the total number of NEAP clients
.
December 2017
Configuring Security on VOSS
194
EAP and NEAP limitations
Note:
It is recommended that you do not connect more than 100 EAP and 100 NEAP devices on the
switch.
EAP and NEAP mac-max settings
The total number of EAP clients can be set between 0 and 32, while the total number of NEAP
clients can be set between 1 and 32.
Note:
EAP-MAC-MAX is overwritten by MAC-MAX. Even if EAP-MAC-MAX is set to a higher limit,
then MAC-MAX must not exceed and you must not authenticate more than MAC-MAX clients.
Note:
NON-EAP-MAC-MAX is overwritten by MAC-MAX. Even if NON-EAP-MAC-MAX is set to a
higher limit, then MAC-MAX must not exceed and you must not authenticate more than MACMAX clients.
Example scenarios
1. Scenario 1:
• EAP-MAC-MAX 32
• NON-EAP-MAC-MAX 32
• MAC-MAX 10
In this scenario, there are 10 EAP and NEAP authenticated clients, in the order of
authentication.
2. Scenario 2:
• EAP-MAC-MAX 1
• NON-EAP-MAC-MAX 1
• MAC-MAX 1
In this scenario, only 1 EAP or 1 NEAP client is authenticated, in the order of
authentication.
3. Scenario 3:
• EAP-MAC-MAX 5
• NON-EAP-MAC-MAX 10
• MAC-MAX 32
In this scenario, up to 5 EAP clients and 10 NEAP clients are allowed.
4. Scenario 4:
• EAP-MAC-MAX 5
• NON-EAP-MAC-MAX 8
• MAC-MAX 7
In this scenario, up to 5 EAP clients and 7 NEAP clients are allowed. The total number of
EAP or NEAP clients is limited to 7.
December 2017
Configuring Security on VOSS
195
Extensible Authentication Protocol over LAN
Multiple Host Single Authentication
Multiple Host Single Authentication (MHSA) allows MACs to access the network without EAP and
NEAP authentication. Unauthenticated devices can access the network only after an EAP or
NEAP client is successfully authenticated on a port. The VLAN to which the devices are allowed is
the client authenticated VLAN. Unless Guest VLAN is configured, there is no authenticated client
on the port, and no MAC is allowed to access the network.
MHSA is primarily intended to accommodate printers and other passive devices sharing a hub
with EAP and NEAP clients.
MHSA support is on a port-by-port basis for EAP and NEAP enabled ports.
MHSA supports the following functionality:
• The port remains unauthorized when no authenticated hosts exist on the port. Before the first
successful authentication occurs, both EAP and NEAP clients are allowed to negotiate
access on that port but only one host is allowed to perform authentication.
• In MHSA mode, the Guest VLAN applies only when no authenticated client is present on the
port.
• After the first EAP or NEAP client successfully authenticates on a port, other clients cannot
negotiate authentication on that port.
• After the first successful authentication, MACs that are already learned on that port is
flushed.
• NEAP clients are not removed at age event in MHSA mode.
• There is no limit to the number of MACs that are allowed after first successful authentication.
EAP and NEAP MAC clients on port with MHSA
EAP and NEAP client counters such as MAC-MAX, EAP-MAC-MAX, and NON-EAP-MAC-MAX do
not apply when the port operates in MHSA mode. In MHSA mode, there can be only one
authenticated client (EAP or NEAP). Subsequent MACs seen on the port are allowed
automatically without authentication.
Guest VLAN
Guest VLAN support provides limited network access until the client is authenticated. Guest VLAN
is configured irrespective of the number of authenticated clients present on the port. Guest VLAN
is available for each port. Only port based VLANs are used as Guest VLANs. When the Guest
VLAN is active, port is added to the VLAN ID, and port default VLAN ID changes to Guest VLAN
ID.
December 2017
Configuring Security on VOSS
196
Guest VLAN
Guest VLAN on a MHMV port usage scenario
The following example illustrates the configuration of Guest VLAN support with an EAP MHMV
port:
• Clients connect to a switch port through a hub.
• The initial VLANs are the VLANs on which the ports resides after a switch reboot.
• EAP is enabled.
• The port is a member of initial VLANs. The clients cannot access the VLANs since the
VLANs are not authenticated. The port default VLAN ID corresponds to one of the initial
VLAN IDs.
• Guest VLAN support is not activated.
The following figure represents the functionality when clients are not authenticated.
Note:
The clients cannot access the network as they are not authenticated and Guest VLAN is not
configured.
• Guest VLAN support is activated.
• The MHMV port is in the initial VLAN stage but gets added to the Guest VLAN ID. The default
VLAN ID is updates to correspond to the Guest VLAN ID.
December 2017
Configuring Security on VOSS
197
Extensible Authentication Protocol over LAN
• All Clients behind the port can access the Guest VLAN.
The following figure represents the functionality when Guest VLAN is activated.
Note:
All clients have Guest VLAN access.
• A client behind the MHMV port gets authenticated. For this usage scenario let us consider
PC1 as the authenticated client.
• The port default VLAN ID is equal to the Guest VLAN ID and remains unchanged.
• The port is copied into the RADIUS assigned VLAN (if any).
• The untagged traffic that originates from PC1 (identified by MAC address) can access only
the RADIUS assigned VLAN or the initial port default VLAN ID, if the RADIUS VLAN attribute
is missing.
• The remaining clients that send untagged traffic are unauthenticated devices. The
unauthenticated devices can access only the Guest VLAN because the port VLAN ID is equal
to the Guest VLAN ID.
• The initial VLANs are accessed by the following devices:
- Authenticated devices that are missing RADIUS VLAN attributes.
- Authenticated devices that send corresponding tagged packets.
• When another client gets authenticated, the authenticated client undergoes the same
process as PC1.
December 2017
Configuring Security on VOSS
198
Guest VLAN
The following figure represents the functionality when a client gets authenticated:
Note:
PC1 is authenticated with RADIUS VLAN 1. The remain clients have guest VLAN access.
When a client disconnects the following happens:
• The MAC VLAN rule is removed from the switch.
• If the RADIUS VLAN attribute was used with the client was authenticated and no other clients
are authenticated on that RADIUS VLAN, then the port is removed from the VLAN. If other
clients are authenticated on that RADIUS VLAN, then the VLAN MAC rule is deleted.
• If RADIUS VLAN attribute is not used when the client is authenticated, then only the VLAN
MAC rule is deleted.
Guest VLAN on a MHSA port usage scenario
The following is a usage example when Guest VLAN is configured with an EAP MHSA port:
• There are no authenticated EAP or NEAP clients on a port.
• The port is removed from the initial VLANs and moved to Guest VLAN ID.
• The default port VLAN ID changes to Guest VLAN ID.
• All MACs seen on the port have Guest VLAN access.
• Port is removed from the Guest VLAN ID.
December 2017
Configuring Security on VOSS
199
Extensible Authentication Protocol over LAN
• If no RADIUS assigned VLAN is present, then the VLAN membership and the default port
VLAN ID is restored to default settings.
• If the RADIUS assigned VLAN is present, then the VLAN membership and the default port
VLAN ID is changed according to its value.
• Guest VLAN loses its purpose because all MACs are allowed automatically without
authentication
In MHSA mode, the Guest VLAN applies only when no authenticated client is present on the port.
EAP and NEAP separation
EAP and NEAP separation provide the ability to have only NEAP clients allowed on one port. This
is done by allowing eap-mac-max to be set to 0. This enhancement gives you the ability to disable
EAP clients authentication without disabling NEAP clients. There are no additional configuration
commands. For more information, see Configuring maximum EAP clients on page 216 and
Configuring maximum NEAP clients on page 216.
EAP and NEAP VLAN names
VLAN names configures VLAN membership of EAP and NEAP clients. You do not have to
configure this feature as this mode is always enabled by default.
Fail Open VLAN
Fail Open VLAN provides network connectivity when the switch cannot connect to a RADIUS
server. If the switch cannot connect to the primary and secondary RADIUS servers, then after a
specified number of attempts to restore connectivity, the switch declares the RADIUS servers
unreachable. Fail Open VLAN provides the below functionality:
• When the EAP RADIUS servers are not reachable, Fail Open VLAN provides restricted
access to devices, which is separate from the Guest VLAN.
• The EAP and NEAP clients are not affected when the RADIUS servers are not reachable.
Fail Open VLAN is a per-port option. Enable Fail Open VLAN by setting a valid Fail Open VLAN
ID. Configure the selected VLAN ID on the switch. Only port based VLANs must be used as Fail
Open VLANs.
When you configure Fail Open VLAN on a port and the RADIUS servers are not reachable, then
the Fail Open VLAN provides the following functionality:
• The port is removed from Guest VLAN if configured, but all other VLAN membership is kept
and in addition the port is added to the Fail Open VLAN.
December 2017
Configuring Security on VOSS
200
EAPoL configuration using CLI
• Default VLAN ID is changed to Fail Open VLAN ID.
• Traffic from the authenticated EAP and NEAP clients are forwarded as before.
• If re-authentication is enabled in Fail Open VLAN mode, then EAP and NEAP clients stop
performing re-authentication.
• All new MACs seen on the port are considered as potential EAP and NEAP clients and is
granted Fail Open VLAN access.
When at least one RADIUS server recovers, all EAP enabled ports are removed from the Fail
Open VLAN. All unauthenticated MACs are flushed in order to give the MACs an opportunity to
authenticate.
Fail Open VLAN with Guest VLAN scenarios
When an EAP port is configured with both Fail Open VLAN and Guest VLAN, consider the
following scenarios:
1. EAP port operating in MHMV mode:
• If the EAP RADIUS servers are reachable, then all the authenticated clients have Guest
VLAN ID access.
• If the EAP RADIUS servers are not reachable, then Guest VLAN must be removed from
the port completely. Fail Open VLAN is the new default VLAN. All unauthenticated
MACs have Fail Open VLAN access.
2. EAP port operating in MHSA mode:
• Fail Open VLAN has no impact on the Guest VLAN functionality in MHSA mode.
EAPoL configuration using CLI
EAPoL (EAP) uses RADIUS protocol for EAP-authorized logons. RADIUS supports IPv4 and IPv6
addresses, with no difference in functionality or configuration.
Before configuring your device, you must configure at least one EAP RADIUS server and shared
secret fields.
You cannot configure EAP on ports that are currently configured for:
• Shared segments
• MultiLink Trunking (MLT)
Change the status of each port that you want to be controlled to auto. The auto setting
automatically authenticates the port according to the results of the RADIUS server. The default
authentication setting for each port is authorized.
You can connect only a single client on each port configured for EAP. If you attempt to add
additional clients on the EAP authorized port, then the system denies access to the new client and
displays a warning message.
December 2017
Configuring Security on VOSS
201
Extensible Authentication Protocol over LAN
Globally enabling EAP on the device
Enable EAP globally on the switch before you enable it on a port or interface.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Globally configure EAP:
eapol enable
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# eapol enable
Configuring EAP on an interface
Configure EAP on an interface.
Before you begin
• EAP must be globally enabled.
About this task
When you configure a port with the EAP status of auto (Authorization depends on result of EAP
authentication), only one supplicant is allowed on this port. Multiple EAP supplicants are not
allowed on the same physical switch port.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable EAP on an interface:
December 2017
Configuring Security on VOSS
202
EAPoL configuration using CLI
eapol status {authorized|auto}
3. Disable EAP on on interface:
no eapol status
Example
Enable EAP on an interface:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)# eapol status auto
Disable EAP on an interface:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)# no eapol status
Variable definitions
Use the data in the following table to use the eapol status command.
Variable
Value
authorized
Specifies that the port is always authorized. The default value is
authorized.
auto
Specifies that port authorization depends on the results of the EAP
authentication by the RADIUS server. The default value is authorized.
Configuring EAP on a port
Configure EAP on a specific port when you do not want to apply EAP to all of the switch ports.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure the maximum EAP requests sent to the supplicant before timing out the session:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
max-request <1-10>
December 2017
Configuring Security on VOSS
203
Extensible Authentication Protocol over LAN
3. Configure the time interval between authentication failure and the start of a new
authentication:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
quiet-interval <1-65535>
4. Enable reauthentication:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
re-authentication enable
5. Configure the time interval between successive authentications:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
re-authentication-period <1-65535>
Note:
The EAP re-authentication period value is between 1-65535. Early releases support up
to 2147483647. To maintain backward compatibility the CLI value is between 1–
2147483647. Trying to configure above 65535 results in an error.
6. Configure the EAP authentication status:
eapol port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}
status {authorized|auto}
Example
Configure the maximum EAP requests sent to the supplicant before timing out the session:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface GigabitEthernet 1/2
Switch:1(config-if)#eapol max-request 10
Switch:1(config-if)#eapol port 1/2 quiet-interval 500
Variable definitions
Use the data in the following table to use the eapol port command.
Variable
Value
{slot/port[/sub-port] [-slot/port[/subport]] [,...]}
Specifies the port or list of ports used by EAP.
Identifies the slot and port in one of the following formats: a single
slot and port (slot/port), a range of slots and ports (slot/port-slot/
port), or a series of slots and ports (slot/port,slot/port,slot/port). If
your platform supports channelization and the port is channelized,
you must also specify the sub-port in the format slot/port/sub-port.
max-request <1-10>
Specifies the maximum EAP requests sent to the supplicant
before timing out the session. The default is 2.
quiet-interval <1-65535>
Specifies the time interval in seconds between the authentication
failure and start of a new authentication. The default is 60.
Table continues…
December 2017
Configuring Security on VOSS
204
EAPoL configuration using CLI
Variable
Value
re-authentication enable
Enables reauthentication of an existing supplicant at a specified
time interval.
re-authentication-period <1-65535>
Specifies the time interval in seconds between successive
reauthentications. The default is 3600 (1 hour).
Note:
The EAP re-authentication period value is between 1–65535.
Early releases support up to 2147483647. To maintain
backward compatibility the CLI value is between 1–
2147483647. Trying to configure above 65535 results in an
error.
status {authorized|auto}
Specifies the desired EAP authentication status for this port.
Configuring an EAP-enabled RADIUS server
The switch uses RADIUS servers for authentication and accounting services. Use the no form to
delete a RADIUS server.
Before you begin
• You must enable EAP globally.
About this task
The RADIUS server uses the secret key to validate users.
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Add an EAP-enabled RADIUS server:
radius server host WORD <0–46> used-by eapol acct-enable
radius server host WORD <0–46> used-by eapol acct-port <1-65536>
radius server host WORD <0–46> used-by eapol enable
radius server host WORD <0–46> used-by eapol key WORD<0-20>
radius server host WORD <0–46> used-by eapol port <1-65536>
radius server host WORD <0–46> used-by eapol priority <1-10>
radius server host WORD <0–46> used-by eapol retry <0-6>
radius server host WORD <0–46> used-by eapol source-ip WORD <0–46>
December 2017
Configuring Security on VOSS
205
Extensible Authentication Protocol over LAN
radius server host WORD <0–46> used-by eapol timeout <1-20>
By default, the switch uses RADIUS UDP port 1812 for authentication, and port 1813 for
accounting. You can change the port numbers or other RADIUS server options.
Example
Switch:1> enable
Switch:1# configure terminal
Add an EAP RADIUS server:
Switch:1(config)# radius server host fe80:0:0:0:21b:4fff:fe5e:73fd key
radiustest used-by eapol
Variable definitions
Use the data in the following table to configure an EAP-enabled RADIUS server with the radius
server host command.
Variable
Value
host WORD<0–46>
Specifies the IP address of the selected server. RADIUS supports
IPv4 and IPv6 addresses, with no difference in functionality or
configuration.
WORD<0-20>
Specifies the secret key, which is a string of up to 20 characters.
Use the data in the following table to use optional arguments of the radius server host
command.
Variable
Value
port <1-65535>
Specifies the port ID number.
priority <1-10>
Specifies the priority number. The lowest number is the highest
priority.
retry <0-6>
Specifies the retry count of the account.
timeout <1-10>
Specifies the timeout of the server. The default is 30.
enable
Enables the functions used by the RADIUS server host.
acct-port <1-65536>
Specifies the port account.
acct-enable
Enables the account.
source-ip WORD<0–46>
Specifies the IP source. RADIUS supports IPv4 and IPv6
addresses, with no difference in functionality or configuration.
Configuring the switch for EAP and RADIUS
Perform the following procedure to configure the switch for EAP and RADIUS.
December 2017
Configuring Security on VOSS
206
EAPoL configuration using CLI
About this task
You must configure the switch, through which user-based-policy (UBP) users connect to
communicate with the RADIUS server to exchange EAP authentication information, as well as
user role information. You must specify the IP address of the RADIUS server, as well as the
shared secret (a password that authenticates the device with the RADIUS server as an EAP
access point). You must enable EAP globally on each device, and you must configure EAP
authentication on each device port, through which EAP/UBP users connect.
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.
For more information about EPM and UBP, see the user documentation for your Enterprise Policy
Manager (EPM) application.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a RADIUS server that is used by EAP:
radius server host WORD <0–46> key WORD<0-20> used-by eapol
3. Log on to the Interface Configuration mode:
interface vlan <1-4059>
4. Enable the device to communicate through EAP:
eapol enable
5. Exit from VLAN interface mode:
exit
6. Enter Interface Configuration mode:
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
7. Enable device ports for EAP authentication:
eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]}
status auto
8. Enable periodic supplicant re-authenticating:
eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} reauthentication enable
9. Save your changes:
save config
Example
Switch:1> enable
December 2017
Configuring Security on VOSS
207
Extensible Authentication Protocol over LAN
Switch:1# configure terminal
Create a RADIUS server that is used by EAP:
Switch:1(config)# radius server host fe90:0:0:0:21b:4eee:fe5e:75fd key
radiustest used-by eapol
Switch:1(config)# interface vlan 2
Enable the device to communicate through EAP:
Switch:1(config-if)# eapol enable
Save your changes:
Switch:1(config-if)# save config
Variable definitions
Use the data in the following table to use the radius server host WORD<0–46> usedby
eapol command.
Variable
Value
host WORD<0–46>
Specifies the IP address of the selected server.
This address tells the device where to find the RADIUS server, from which
it obtains EAP authentication and user role information.
RADIUS supports IPv4 and IPv6 addresses, with no difference in
functionality or configuration.
key WORD<0-20>
Specifies the shared secret key that you use for RADIUS authentication.
The shared secret is held in common by the RADIUS server and all EAPenabled devices in your network. It authenticates each device with the
RADIUS server as an EAP access point. When you configure your
RADIUS server, you must configure the same shared secret value as you
specify here.
Changing the authentication status of a port
The switch authorizes ports by default, which means that the ports are always authorized and are
not authenticated by the RADIUS server.
You can also make the ports controlled so that they are dependent on being authorized by the
Radius Server when you globally enable EAP (auto).
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
December 2017
Configuring Security on VOSS
208
EAPoL configuration using CLI
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure the authorization status of a port:
eapol status {authorized|auto}
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 3/1
Configure the authorization status of a port:
Switch:1(config-if)# eapol status auto
Variable definitions
Use the data in the following table to use the eapol status command.
Variable
Value
authorized
Specifies that the port is always authorized. The default value is
authorized.
auto
Specifies that port authorization depends on the results of the EAP
authentication by the RADIUS server. The default value is authorized.
Deleting an EAP-enabled RADIUS server
Delete an EAP-enabled RADIUS server if you want to remove the server.
About this task
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Delete an EAP-enabled RADIUS server:
no radius server host WORD<0–46> used-by eapol
Example
Switch:1> enable
Switch:1# configure terminal
December 2017
Configuring Security on VOSS
209
Extensible Authentication Protocol over LAN
Switch:1(config)# no radius server host fe79:0:0:0:21d:4fdf:fe5e:73fd
used-by eapol
Variable definitions
Use the data in the following table to use the radius server host WORD<0–46> usedby
eapol command.
Variable
Value
host WORD<0–46>
Specifies the IP address of the selected server.
This address tells the device where to find the RADIUS server, from which
it obtains EAP authentication and user role information.
RADIUS supports IPv4 and IPv6 addresses, with no difference in
functionality or configuration.
key WORD<0-20>
Specifies the shared secret key that you use for RADIUS authentication.
The shared secret is held in common by the RADIUS server and all EAPenabled devices in your network. It authenticates each device with the
RADIUS server as an EAP access point. When you configure your
RADIUS server, you must configure the same shared secret value as you
specify here.
Configuring Fail Open VLAN
About this task
Use this procedure to configure Fail Open VLAN.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure Fail Open VLAN:
eapol fail-open-vlan <1-4059>
Example
Configure the Fail Open VLAN.
Switch:1>enable
Switch:1#configure terminal
December 2017
Configuring Security on VOSS
210
EAPoL configuration using CLI
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol fail-open-vlan 10
Variable definitions
Use the data in the following table to use the eapol fail-open-vlan command.
Variable
Value
<1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By default,
VLAN IDs 1 to 4059 are configurable and the system
reserves VLAN IDs 4060 to 4094 for internal use. On
switches that support the vrf-scaling and spbm-config-mode
boot configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is
the default VLAN and you cannot create or delete VLAN ID
1.
Displaying the current EAP-based security status
Use the following procedure to display the status of the EAP-based security.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display the current EAP-based security status:
show eapol auth-stats interface [gigabitEthernet {slot/port[/subport] [-slot/port[/sub-port]] [,...]}]
show eapol multihost non-eap-mac status [vlan <1-4059>] [{slot/
port[/sub-port] [-slot/port[/sub-port]] [,...]}]
show eapol port {interface [gigabitEthernet {slot/port[/sub-port]
[-slot/port[/sub-port]] [,...]}] | {slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}}
show eapol session-stats interface [gigabitEthernet {slot/port[/
sub-port] [-slot/port[/sub-port]] [,...]}]
show eapol status interface [vlan <1-4059>] [gigabitEthernet {slot/
port[/sub-port] [-slot/port[/sub-port]] [,...]}]
show eapol system
Example
Switch:#enable
Switch:1#show eapol system
================================================================================
Eapol System
================================================================================
eap : disabled
December 2017
Configuring Security on VOSS
211
Extensible Authentication Protocol over LAN
Eapol Version : 3
non-eap-pwd-fmt : ip-addr.mac-addr.port-number
non-eap-pwd-fmt key :
non-eap-pwd-fmt padding : disabled
-------------------------------------------------------------------------------Switch:#enable
Switch:1#show eapol port interface gigabitEthernet
=================================================================================
Eapol Configuration
=================================================================================
PORT STATUS OPER MAX QUIET REAUTH REAUTH NON-EAP MAX MAX MAX
GST
FA
NUM
MODE REQ INTVL PERIOD ENABLE ENABLE
MAC EAP NEAP VLAN VL
=================================================================================
1/1
Auth
MHMV 2
60
3600
false
false
8
1
1
N/A N/A
1/2
Auth
MHMV 2
60
3600
false
false
1
1
1
10
N/A
1/3
Auth
MHSA 2
60
3600
false
false
1
1
1
20
N/A
Variable definitions
Use the data in the following table to use the show eapol command.
Variable
Value
auth-stats [gigabitEthernet {slot/port[/
sub-port] [-slot/port[/sub-port]] [,...]}]
Displays the authentication statistics interface.
Note:
auth-stats [gigabitEthernet {slot/port[/sub-port] [-slot/port[/subport]] [,...]} is useful only for EAP supplicants. The command
output changes only when the EAP supplicant tries to access
the network.
multihost non-eap-mac status [vlan
<1-4059>] [{slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}]
Displays EAP multihost configuration.
port {interface [gigabitEthernet {slot/
Specifies the ports to display. If no port is entered, all ports are
port[/sub-port] [-slot/port[/sub-port]]
displayed.
[,...]}] | {slot/port[/sub-port] [-slot/port[/
sub-port]] [,...]}}
session-stats interface
Displays the authentication session statistics interface.
[gigabitEthernet {slot/port[/sub-port] [slot/port[/sub-port]] [,...]}]
status interface [vlan <1-4059>]
Displays the port EAP operation statistics.
[gigabitEthernet {slot/port[/sub-port] [slot/port[/sub-port]] [,...]}]
system
Displays EAP settings.
Displaying the port VLAN information
Use the following procedure to display the port VLAN information.
Procedure
1. Enter Privileged EXEC mode:
December 2017
Configuring Security on VOSS
212
EAPoL configuration using CLI
enable
2. Display the port VLAN information:
show interfaces [gigabitEthernet {slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}] [vlan <1-4059>]
Example
Switch:#enable
Switch:1#show interfaces gigabitethernet vlan
=====================================================================================
Port Vlans
=====================================================================================
PORT
DISCARD DISCARD
DEFAULT VLAN
PORT
UNTAG
DYNAMIC UNTAG
NUM
TAGGING TAGFRAM UNTAGFRAM VLANID IDS
TYPE
DEFVLAN VLANS
VLANS
------------------------------------------------------------------------------------1/1
disable false
false
1
1
normal
disable P
1
1/2
enable false
false
1
1,3,10
normal
disable P
1,10
1/3
enable false
false
1
1,10,20
normal
disable P
Variable definitions
Use the data in the following table to use the show interfaces command.
Variable
Value
{slot/port[/sub-port] [-slot/port[/sub-port]]
[,...]}
Identifies the slot and port in one of the following formats: a
single slot and port (slot/port), a range of slots and ports
(slot/port-slot/port), or a series of slots and ports (slot/
port,slot/port,slot/port). If your platform supports
channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
<1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By default,
VLAN IDs 1 to 4059 are configurable and the system
reserves VLAN IDs 4060 to 4094 for internal use. On
switches that support the vrf-scaling and spbm-config-mode
boot configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is
the default VLAN and you cannot create or delete VLAN ID
1.
Configuring the format of the RADIUS password attribute when
authenticating NEAP MAC addresses using RADIUS
Use the following procedure to configure the format of the RADIUS password when authenticating
NEAP MAC addresses using RADIUS.
Procedure
1. Enter Global Configuration mode:
enable
December 2017
Configuring Security on VOSS
213
Extensible Authentication Protocol over LAN
configure terminal
2. Configure the RADUIS password format:
eapol multihost non-eap-pwd-fmt {[ip-addr] [key WORD<1-32>] [macaddr] [padding] [port-number]}
Variable definitions
Use the data in the following table to use the eapol multihost non-eap-pwd-fmt command.
Variable
Value
ip-addr
Management ip-address of the switch.
key WORD<1-32>
Key value used for non-eap password format.
mac-addr
Mac-Address of the client.
padding
Includes a dot in the RADIUS password for every missing
parameter.
port-number
Index of the port on which MAC is received.
Note:
To derive the port number for an interface, use the command show interfaces gigabit
[{slot/port[/sub-port][-slot/port[/sub-port]][,...]}] .
If you configure interface 1/6 on the product, to derive the port-number for this interface, use the
command show interfaces gigabitEthernet 1/6. From this command, you can ascertain
that port number used in the NEAP password is 197.
Switch:1(config)# show interfaces gigabitEthernet 1/6
==========================================================================================
Port Interface
==========================================================================================
PORT
LINK PORT
PHYSICAL
STATUS
NUM
INDEX DESCRIPTION
TRAP LOCK
MTU
ADDRESS
ADMIN OPERATE
-----------------------------------------------------------------------------------------1/6
197
1000BaseTX
true false
1950 f8:15:47:e1:dd:05 up
up
Enabling RADIUS authentication of NEAP hosts on EAP enabled
ports
For RADIUS authentication of NEAP hosts on EAP-enabled ports, you must enable EAP globally
on the switch and then enable NEAP hosts on the local interface.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
December 2017
Configuring Security on VOSS
214
EAPoL configuration using CLI
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable RADIUS authentication of NEAP hosts on the local interface:
eapol multihost radius-non-eap-enable
Configuring the maximum MAC clients
Use this procedure to configure the maximum EAP and NEAP MAC clients supported on a port.
Procedure
1. Enter Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]} or interface vlan <1–4059>
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Set the maximum limit of allowed EAP and NEAP MAC clients supported on the port:
eapol multihost mac-max <1-32>
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# interface GigabitEthernet 1/16
Switch:1(config-if)# eapol multihost mac-max <1-32>
Variable definitions
Use the data in the following table to use the eapol multihost mac-max command.
Variable
Value
mac-max <1-32>
Specifies the maximum number of EAP and NEAP MAC
addresses allowed on the port. The maximum limit is 32 MAC
addresses.
December 2017
Configuring Security on VOSS
215
Extensible Authentication Protocol over LAN
Configuring maximum EAP clients
About this task
Use this procedure to configure the maximum EAP clients allowed on the port at one time.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure the maximum EAP clients:
eapol multihost eap-mac-max <0-32>
Note:
eap-mac-max is also used to provide EAP and NEAP separation functionality. By
default the EAP clients are enabled per port and eap-mac-max limit is 1. If eap-macmax is set to 0 then EAP client authentication is disabled.
Example
Configure the maximum EAP clients allowed on the port at one time.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol multihost eap-mac-max 10
Variable definitions
Use the data in the following table to use the eapol multihost eap-mac-max command.
Variable
Value
<0–32>
Specifies the maximum EAP clients allowed on the port at
one time. The default is 1.
Configuring maximum NEAP clients
About this task
Use this procedure to configure the maximum NEAP clients allowed on the port at one time.
December 2017
Configuring Security on VOSS
216
EAPoL configuration using CLI
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure the maximum NEAP clients:
eapol multihost non-eap-mac-max <0-32>
Note:
non-eap-mac-max is also used to provide EAP and NEAP separation functionality. By
default the NEAP clients are enabled per port and non-eap-mac-max limit is 1. If noneap-mac-max is set to 0 then NEAP client authentication is disabled.
Example
Configure the maximum NEAP clients allowed on the port at one time.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol multihost non-eap-mac-max 10
Variable definitions
Use the data in the following table to use the eapol multihost non-eap-mac-max command.
Variable
Value
<0–32>
Specifies the maximum NEAP clients allowed on the port at
one time. The default is 1.
Configuring the Guest VLAN ID
About this task
Use this procedure to configure the Guest VLAN ID.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
December 2017
Configuring Security on VOSS
217
Extensible Authentication Protocol over LAN
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure the Guest VLAN ID:
eapol guest—vlan <1-4059>
Example
Configure the Guest VLAN ID.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol guest-vlan 10
Variable definitions
Use the data in the following table to use the eapol guest-vlan command.
Variable
Value
<1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By default,
VLAN IDs 1 to 4059 are configurable and the system
reserves VLAN IDs 4060 to 4094 for internal use. On
switches that support the vrf-scaling and spbm-config-mode
boot configuration flags, if you enable these flags, the
system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is
the default VLAN and you cannot create or delete VLAN ID
1.
Clearing NEAP session
Use this procedure to clear the NEAP session that is learnt on the switch.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Clear the NEAP session:
clear eapol non-eap [<0x00:0x00:0x00:0x00:0x00:0x00>] [{slot/port[/
sub-port][-slot/port[/sub-port]][,...]}
<0x00:0x00:0x00:0x00:0x00:0x00>]
December 2017
Configuring Security on VOSS
218
EAPoL configuration using CLI
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# clear 1/16 00:1b:63:84:45:e6
Variable definitions
Use the data in the following table to use the clear eapol non-eap command.
Variable
Value
{slot/port[/sub-port][-slot/port[/subport]][,...]}
Specifies the port list on which the NEAP MAC is learnt.
0x00:0x00:0x00:0x00:0x00:0x00
Specifies the MAC-Address on the NEAP session.
Configuring EAP operational mode
About this task
Use this procedure to configure the EAP operational mode.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. configure the EAP operational mode:
eapol multihost eap-oper-mode {mhmv | mhsa}
Note:
The default EAP operational mode is MHMV.
Example
Configure the EAP operational mode:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabitEthernet 1/1
Switch:1(config)#eapol eap-oper-mode mhsa
December 2017
Configuring Security on VOSS
219
Extensible Authentication Protocol over LAN
Variable definitions
Use the data in the following table to use the eapol multihost eap-oper-mode command.
Variable
Value
mhmv
Specifies the EAP operational mode as Mutiple Host Multiple
VLAN.
mhsa
Specifies the EAP operational mode as Mutiple Host Single
Authentication.
EAP configuration using Enterprise Device Manager
EAPoL (EAP) uses RADIUS protocol for EAP-authorized logons. RADIUS supports IPv4 and IPv6
addresses with no difference in functionality or configuration in all but the following case. When
adding a RADIUS server in Enterprise Device Manager (EDM) or modifying a RADIUS
configuration in EDM, you must specify if the address type is an IPv4 or an IPv6 address.
Before you begin
• Before configuring your device, you must configure at least one EAP RADIUS server and
shared secret fields.
• You cannot configure EAP on ports that are currently configured for:
- Shared segments
- MultiLink Trunking (MLT)
• Change the status of each port that you want to be controlled to auto. For more information
on changing the status, see Configuring EAP on a port on page 221. The auto setting
automatically authenticates the port according to the results of the RADIUS server. The
default authentication setting for each port is force-authorized.
• You can connect only a single client on each port configured for EAP. If you attempt to add
additional clients on the EAP authorized port, the client traffic will be blocked from the switch
till mac-ageing occurs for that client.
Globally configuring EAP on the server
About this task
Globally enable or disable EAP on the switch. By default, EAP is disabled.
Procedure
1. In the navigation tree, expand the following folders: Configuration > Security > Data
Path.
2. Click 802.1x - EAPOL.
December 2017
Configuring Security on VOSS
220
EAP configuration using Enterprise Device Manager
3. Click the Global tab.
4. From the AccessControl options, select enable.
5. (Optional) Select the appropriate NonEapRadiusPwdAttrFmt check boxes to configure
the format of the RADIUS password when authenticating non-EAP MAC addresses using
RADIUS.
6. (Optional) Enter the key string in the NonNonEapRadiusPwdAttkeystring field.
7. (Optional) Check the ClearNonEap check box to clear the NEAP session that is learned
on the switch.
8. Click Apply.
Global field descriptions
Use the data in the following table to use the Global tab.
Name
Description
EapolVersion
Displays the EAP version on the switch.
AccessControl
Enables system authentication control. EAP is
disabled by default.
NonEapRadiusPwdAttrFmt
Specifies the password attribute format for non EAP
RADIUS authentication.
• ipAdd: Specifies IP address.
• macAddr: Specifies MAC address.
• portNumber: Specifies port number
• padding: Specifies padding.
NonEapRadiusPwdAttrKeyString
Specifies the attribute key string for non EAP
RADIUS password. The range is 0– 32 characters.
ClearNonEap
Clears the NEAP session that is learned on the
switch.
Configuring EAP on a port
About this task
Configure EAP or change the authentication status on one or more ports.
Ports are force-authorized by default. Force-authorized ports are always authorized and are not
authenticated by the RADIUS server. You can change this setting so that the ports are always
unauthorized.
Procedure
1. In the Device Physical View tab, select the port you need to configure.
2. In the navigation tree, expand the following folders: Configuration > Edit > Port.
December 2017
Configuring Security on VOSS
221
Extensible Authentication Protocol over LAN
3. Click General.
4. Click the EAPOL tab.
5. (Optional) Select the AllowNonEapHost check box to allow hosts that do not participate
in 802.1X authentication to get network access.
6. Select the Status option as auto or forceAuthorized.
7. In the MultiHostMaxClients field, type the maximum limit of allowed EAP and NEAP
clients supported on this port.
8. In the GuestVLANId field, type the VLAN ID to be used as a Guest VLAN ID.
9. In the FailOpenVlanId field, type the Fail Open VLAN ID.
10. In the NonEapMaxClients field, type the maximum number NEAP authentication MAC
addresses allowed on this port.
11. In the EapMaxClients field, type the maximum number of EAP authentication MAC
addresses allowed on this port.
12. Select the MultiHostSingleAuthEnabled check box to automatically authenticate NEAP
MAC addresses on this port.
13. Select the ReAuthEnabled field.
14. In the QuietPeriod field, type the time interval.
15. In the ReauthPeriod field, type the time between reauthentication.
16. In the RetryMax field, type the number of times.
17. Click Apply.
EAPoL field descriptions
Use the data in the following table to use the EAPoL tab.
Name
Description
PortCapabilities
Displays the capabilities of the Port Access Entity (PAE)
associated with the port. This parameter indicates whether
Authenticator functionality, supplicant functionality, both, or
neither, is supported by the PAE of the port.
The following capabilities are supported by the PAE of the port:
• authImplemented: A Port Access Controller Protocol (PACP)
Extensible Authentication Protocol (EAP) authenticator
functions are implemented.
• virtualPortsImplemented: Virtual Port functions are
implemented.
PortVirtualPortsEnable
Displays the status of the Virtual Ports function for the real port
as True or False.
PortCurrentVirtualPorts
Displays the current number of virtual ports running in the port
Table continues…
December 2017
Configuring Security on VOSS
222
EAP configuration using Enterprise Device Manager
Name
Description
PortAuthenticatorEnable
Displays the status of the Authenticator function in the Port
Access Entity (PAE) as True or False.
PortSupplicantEnable
Displays the Supplicant function in the Port Access Entity (PAE)
as True or False.
AllowNonEapHost
Enables the system to allow hosts that do not participate in
802.1X authentication to get network access. The default is
disabled.
Status
Configures the authentication status for this port. The default is
forceAuthorized.
• auto: enables the EAP authentication process by sending the
EAP request messages to the RADIUS server.
• forceAuthorized: disables the EAP authentication and puts the
port into force-full authorized mode.
MultiHostMaxClients
Specifies the value representing the maximum number of
supplicants allowed to get authenticated on the port.
GuestVLANId
Specifies the VLAN to be used as a Guest VLAN. Access to
unauthenticated hosts connected to this port is provided
through this VLAN. 0 indicates that Guest VLAN is not enabled
for this port.
FailOpenVlanId
Specifies the Fail Open VLAN ID for this port. If the switch
declares the RADIUS servers unreachable, then all new
devices are allowed access into the configured Fail Open
VLAN. 0 indicates that Fail Open VLAN is not enabled for this
port.
NonEapMaxClients
Specifies the maximum number of NEAP authentication MAC
addresses allowed on this port. Zero indicates that NEAP
authentication is disabled for this port.
EAPMaxClients
Specifies the maximum number of EAP authentication MAC
addresses allowed on this port. Zero indicates that EAP
authentication is disabled for this port
MultiHostSingleAuthEnabled
Indicates that the unauthenticated devices can access the
network only after an EAP or NEAP client is successfully
authenticated on the port. The VLAN to which the devices are
allowed access is the authenticated client's VLAN. The default
is false.
Authenticator configuration
Displays the current Authenticator Port Access Entity (PAE)
state.
The states are:
• authenticate
• authenticated
• Failed
Table continues…
December 2017
Configuring Security on VOSS
223
Extensible Authentication Protocol over LAN
Name
Description
ReAuthEnabled
Reauthenticates an existing supplicant at the time interval
specified in ReAuthPeriod. The default is disabled.
QuietPeriod
Configures the time interval (in seconds) between
authentication failure and the start of a new authentication.
ReAuthPeriod
Reauthenticates an existing supplicant at the time interval
specified in ReAuthPeriod.
Configures the time interval (in seconds) between successive
reauthentications. The default is 3600 (1 hour).
RetryMax
Specifies the maximum Extensible Authentication Protocol
(EAP) requests sent to the supplicant before timing out the
session. The default is 2.
RetryCount
Specifies the maximum number of retries attempted.
Showing the Port Access Entity Port table
About this task
Use the Port Access Entity (PAE) Port Table to display system-level information for each port the
PAE supports. An entry appears in this table for each port of this system.
Procedure
1. In the navigation tree, expand the following folders: Configuration > Security > Data
Path.
2. Click 802.1x - EAPOL.
3. Click the EAP Security tab.
EAP Security field descriptions
Use the data in the following table to use the EAP Security tab.
Name
Description
PortNumber
Indicates the port number associated with this port.
PortCapabilties
Indicates the capabilities of this PAE port.
• authImplemented—PACP EAP authenticator functions are
implemented in this PAE.
• virtualPortsImplemented—Virtual Port functions are
implemented in this PAE.
PortVirtualPortsEnable
Displays the status of the Virtual Ports function for the real port
as True or False.
PortCurrentVirtualPorts
Displays the current number of virtual ports running in the port
Table continues…
December 2017
Configuring Security on VOSS
224
EAP configuration using Enterprise Device Manager
Name
Description
PortAuthenticatorEnable
Displays the status of the Authenticator function in the Port
Access Entity (PAE) as True or False.
PortSupplicantEnable
Displays the Supplicant function in the Port Access Entity
(PAE) as True or False.
AllowNonEapHost
Displays the status if the system is enabled to allow hosts that
do not participate in 802.1X authentication to get network
access.
Status
Displays the authentication status for this port. The default is
forceAuthorized.
MultiHostMaxClients
Indicates the value representing the maximum number of
supplicants allowed to get authenticated on the port.
GuestVLANId
Displays the VLAN to be used as a Guest VLAN. Access to
unauthenticated hosts connected to this port is provided
through this VLAN. 0 indicates that Guest VLAN is not enabled
for this port.
FailOpenVLANId
Displays the Fail Open VLAN ID for this port. If the switch
declares the RADIUS servers unreachable, then all new
devices are allowed access into the configured Fail Open
VLAN. 0 indicates that Fail Open VLAN is not enabled for this
port.
NonEapMaxClients
Indicates the maximum number of non-EAPoL authentication
MAC addresses allowed on this port. Zero indicates that nonEAPol authentication is disabled for this port.
EapMaxClients
Indicates the maximum number of EAPoL authentication MAC
addresses allowed on this port. Zero indicates that EAPol
authentication is disabled for this port.
MultiHostSingleAuthEnabled
Indicates that the unauthenticated devices can access the
network only after an EAP or NEAP client is successfully
authenticated on the port. The VLAN to which the devices are
allowed access is the authenticated client's VLAN. The default
is false.
Showing EAP Authentication
About this task
Use the Authenticator Configuration table to display configuration objects for the Authenticator
PAE associated with each port.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Data
Path.
2. Click 802.1x - EAPOL.
December 2017
Configuring Security on VOSS
225
Extensible Authentication Protocol over LAN
3. Click the Authentication tab.
Authentication field descriptions
Use the data in the following table to use the Authentication tab.
Name
Description
PortNumber
Indicates the number associated with this port.
Authenticate
Indicates the status of the Port Access Entity (PAE)
authenticator requesting authentication.
Authenticated
Indicates the current authentication status of the Port Access
Entity (PAE) authenticator.
Failed
Indicates the authentication status for failed or terminated
state .
ReAuthEnabled
Indicates the re-authentication status of an existing supplicant
at the time interval specified in ReAuthPeriod. The default is
false.
QuietPeriod
Indicates the time interval (in seconds) between authentication
failure and the start of a new authentication.
The default is 60.
ReAuthPeriod
Indicates the time interval in seconds between successive reauthentications. The default is 3600 (1 hour ).
RetryMax
Indicates the maximum Extensible Authentication Protocol
(EAP) requests sent to the supplicant before timing out the
session. The default is 2.
RetryCount
Indicates the count of the number of authentication attempts.
Viewing Multihost status information
Use the following procedure to display multiple host status for a port.
Procedure
1. In the navigation pane, expand the Configuration --> Security --> Data Path folders.
2. Click 802.1x–EAPOL.
3. Click the MultiHost Status tab.
MultiHost status field descriptions
The following table describes values on the MultiHost Status tab.
Name
Description
PortNumber
Indicates the port number associated with this port.
Table continues…
December 2017
Configuring Security on VOSS
226
EAP configuration using Enterprise Device Manager
Name
Description
ClientMACAddr
Indicates the MAC address of the client.
PaeState
Indicates the current state of the authenticator PAE
state machine.
VlanId
Indicates the VLAN assigned to the client.
Viewing EAP session statistics
Use the following procedure to display multiple host session information for a port.
Procedure
1. In the navigation pane, expand the Configuration --> Security --> Data Path folders.
2. Click 802.1x–EAPOL.
3. Click the MultiHost Session tab.
MultiHost session field descriptions
The following table describes values on the MultiHost Session tab.
Name
Description
StatsPortNumber
Indicates the port number associated with this port.
StatsClientMACAddr
Indicates the MAC address of the client.
Id
Indicates the unique identifier for the session.
AuthenticMethod
Indicates the authentication method used to
establish the session.
Time
Indicates the elapsed time of the session.
TerminateCause
Indicates the cause of the session termination.
UserName
Indicates the user name that represents the identity
of the supplicant PAE.
Viewing NEAP MAC information
Use this procedure to view NEAP client MAC information on a port.
Procedure
1. In the navigation pane, expand the Configuration --> Security --> Data Path folders.
2. Click 802.1x–EAPOL.
3. Click the NEAP Radius tab.
December 2017
Configuring Security on VOSS
227
Extensible Authentication Protocol over LAN
NEAP Radius field descriptions
The following table describes values on the NEAP Radius tab.
Name
Description
MacPort
Indicates the port number associated with this port.
MacAddr
Indicates the MAC address of the client.
MacStatus
Indicates the authentication status of the NEAP host
that is authenticated using the RADIUS server.
VlanId
Indicates the VLAN assigned to the client.
MacClear
Clears the non EAP MAC entry associated with a
specific index.
December 2017
Configuring Security on VOSS
228
Chapter 6: IPsec
The following sections describe Internet Protocol Security (IPsec) and its configuration.
IPsec fundamentals
Internet Protocol Security (IPsec) ensures the authenticity, integrity, and confidentiality of data at
the network layer of the Open System Interconnection (OSI) stack.
The IPsec feature is a set of security protocols and cryptographic algorithms that protect
communication in a network. Use IPsec in scenarios where you need to encrypt packets between
two hosts, or two routers, or a router and a host.
You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4
protocols.
IPsec adds support for OSPF virtual link for the security protection of the communication between
the end points. You can also use IPsec with OSPFv3 on a brouter port or VLAN interface, for
example, if you want to encrypt OSPFv3 control traffic on a broadcast network. You can also use
IPsec with ICMPv6.
Note:
• If you downgrade your software, the current IPsec configurations are no longer
supported. You must boot with the factory default settings for IPsec, and then reconfigure
the IPsec features.
• You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4
protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6,
OSPFv3, TCP, and UDP.
The following figure displays the movement of traffic using IPsec.
December 2017
Configuring Security on VOSS
229
IPsec
Figure 17: Internet Protocol Security (IPsec)
The IPsec feature uses security ciphers and encryption algorithms like AES, DES, and 3DES to
ensure confidentiality of data, and keyed MAC for authenticity of data. The encryption algorithms
require shared keys to secure the communication. The device only supports manual keying and
configuration for IPsec. The IPsec feature supports IPv4 and IPv6 interfaces.
To configure IPsec, you create an IPsec policy, and then link the IPsec policy to an interface. You
also link each IPsec policy to an IPsec security association. The IPsec policies define the amount
of security applied to specific traffic on a specific interface. The IPsec feature supports the
following security protocols:
• Encapsulating security payload (ESP)
• Authentication header (AH)
The device restricts IPsec encryption to control traffic through the CPU. The switch restricts IPsec
to transport mode only. The IPsec feature processes either the ingress, the egress, or both the
egress and ingress control packets to and from the CPU.
The device checks every ingress or egress packet for the IPsec base protocol, either AH or ESP.
The base protocol interacts with the security policy database (SPD) and security association
database (SADB) to check the level of security to apply to the packet. The device consults the
SPD for both ingress and egress traffic. For egress traffic, the device consults the SPD to
determine if IPsec needs to apply security considerations. For ingress traffic, the device consults
the SPD to determine whether the traffic received with IPsec encapsulation complies with the
policies defined in the system.
For more information on IPsec, see Configuring IPv6 Routing and Monitoring Performance.
December 2017
Configuring Security on VOSS
230
IPsec fundamentals
Authentication header
The authentication header (AH) authenticates IP traffic and ensures you connect with who you
want to connect. The authentication header can detect if data is altered in transit and protect
against replay attacks. The authentication header does not encrypt traffic.
The authentication header provides a small header that precedes the payload with the use of the
security parameters index (SPI) and sequence number. The authentication header provides:
• IP datagram sender authentication by HMAC or MAC
• IP datagram integrity assurance by HMAC or MAC
• Replay detection and protection by sequence number
The IPsec feature inserts the AH header after the IP header in transport mode. Transport mode
with AH authenticates only the payload of the IP packet. The device only supports transport mode.
The device does not support tunnel mode. Tunnel mode authenticates the entire IP packet,
including the IP header and data, to provide a secure hop between two hosts, two routers, or a
router and a host.
You can apply AH alone, or in combination with the Encapsulating Security Payload (ESP).
The following figures show an original IP packet and an IP packet with an AH header.
Figure 18: Original IP packet
Figure 19: AH in transport mode
December 2017
Configuring Security on VOSS
231
IPsec
Encapsulating security payload
The encapsulating security payload (ESP) encrypts traffic with use of encryption algorithms, such
as 3DES, AES-CBC, and AES-CTR. The security association specifies the algorithm and key
used in ESP.
The encapsulating security payload can protect origin authenticity, integrity, and confidentiality of
packets. ESP supports encryption-only and authentication-only configurations. The IPsec feature
inserts the ESP header after the IP header and before the next layer protocol header in transport
mode. Transport mode with ESP encrypts or authenticates only the payload of the IP packet. The
device only supports transport mode.
The device does not support tunnel mode. Tunnel mode encrypts or authenticates the entire IP
packet, including the IP header and data, to provide a secure hop between two hosts, two routers,
or a router and a host.
The following figures display the original IP packet and an IP packet with ESP.
Figure 20: Original IP packet
Figure 21: ESP in transport mode
IPsec modes
The IPsec feature security protocols use two different modes to protect the entire IP payload or
the upper layer protocols:
• Transport mode
December 2017
Configuring Security on VOSS
232
IPsec fundamentals
• Tunnel mode
The device only supports transport mode. The device uses transport mode to protect the upper
layer protocols. In transport mode, IPsec adds an IPsec header between the IP header and upper
layer protocol header.
This device does not support tunnel mode. Under tunnel mode IPsec protects the whole IP packet.
In tunnel mode, IPsec inserts the IPsec header between another IP datagram IP header and inner
IP header.
Security association
A security association (SA) is a group of algorithms and parameters used to encrypt and
authenticate the flow of IP traffic in a particular direction. An SA contains the information IPsec
needs to process an IP packet. IPsec identifies SAs by:
• Security Parameter Index (SPI)
• Protocol value (either AH or ESP)
• Destination address to which the SA applies
Creation of a security association
Typically SAs exist in pairs; one in each direction, either inbound or outbound.
You can create SAs manually or dynamically. After you create an SA manually, the SA has no
defined lifetime and the SA exists until you manually delete the SA.
After the device creates the SA dynamically, the SA can have a lifetime value that IPsec peers
negotiate through use of a key management protocol. If the device uses the key excessively
unauthorized access can occur. You must define the IPsec lifetime and other configurable
parameters manually.
Security associations reside in the Security Association Database (SADB), which maintains a list
of active SAs. The IPsec feature uses outbound SAs to secure the outgoing traffic and inbound
SAs to process the incoming traffic. The device checks every ingress or egress packet for the
IPsec base protocol, either AH or ESP. The base protocol interacts with the security policy
database (SPD) and security association database (SADB) to check the level of security to apply
to that packet.
The IPsec feature restricts SAs to the source and destination address of the connected router.
Security policy
Use IPsec to create IPsec security policies that define the levels of security for different types of
traffic. You can use IPsec security policies to create rules to filter traffic with IPsec. IPsec policies
determine what IP traffic to secure. An IPsec security policy typically consists of:
• An IP filter
• Security algorithms for authentication and key exchange
December 2017
Configuring Security on VOSS
233
IPsec
• An action
Creation of a security policy
You can configure IPsec on IPv4/IPv6 interfaces. First, create and configure an IPsec policy, and
then add and enable the policy on an interface.
After you enable IPsec, the device encrypts all control traffic on the interface based on the policy.
You have to specify individual policies to target a particular interface address or multiple
addresses. By default, this implementation does not work on a subnet.
The Security Policy Database (SPD) maintains the IPsec security policies. The device checks
every ingress or egress packet for the IPsec base protocol, either AH or ESP. The base protocol
interacts with the security policy database (SPD) and security association database (SADB) to
check the level of security to apply to that packet.
The IPsec feature only adds policies if the source address in the policy specified matches an
interface IP address.
The IPsec feature restricts the policy match source address to the interface address of the router
and destination IPv6 address.
IPsec limitations
This section describes the limitations associated with IPsec.
• The device only supports IPsec transport mode. IPsec does not support tunnel mode.
• The IPsec feature implementation is available only in software. Hardware implementation is
not available. Only control packets to and from the CPU are subject to IPsec. IPsec
implements IPsec policies in the software on the control path.
• The device does not support address ranges facility for an IPsec policy.
• No fast-path support exists for IPsec.
IPsec configuration using CLI
The following section provides procedures to configure Internet Protocol Security (IPsec).
Creating an IPsec policy
Use the following procedure to configure an IPsec policy. An IPsec policy defines the level of
security for different types of traffic.
December 2017
Configuring Security on VOSS
234
IPsec configuration using CLI
Note:
• You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4
protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6,
OSPFv3, TCP, and UDP.
• If you downgrade your software, the current IPsec configurations are no longer
supported. You must boot with the factory default settings for IPsec, and then reconfigure
the IPsec features.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an IPsec policy:
ipsec policy WORD<1–32>
3. (Optional) Delete an IPsec policy:
no ipsec policy WORD<1–32>
Example
Create an IPsec policy named newpolicy:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy newpolicy
Variable definitions
Use the data in the following table to use the ipsec policy command.
Variable
Value
WORD<1–32>
Specifies the IPsec policy name.
Enabling an IPsec policy
Use the following procedure to enable an IPsec policy. An IPsec policy defines the level of security
for different types of traffic.
Note:
If you downgrade your software, the current IPsec configurations are no longer supported. You
must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
Before you begin
• Create an IPsec policy.
December 2017
Configuring Security on VOSS
235
IPsec
About this task
The IPsec feature adds policies only if the admin status of the policy and the IPsec status on the
interface are enabled.
If you disable the IPsec policy on an IPv4 or IPv6 interface, IPsec removes the policy-related
information from the security policy database (SPD) and the security association database
(SADB), but the information remains on the system. After you re-enable, the information reapplies
on the interface.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable an IPsec policy:
ipsec policy WORD<1–32> admin enable
3. (Optional) Disable an IPsec policy:
no ipsec policy WORD<1–32> admin enable
Example
Enable an IPsec policy named newpolicy:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy newpolicy admin enable
Variable definitions
Use the data in the following table to use the ipsec policy command.
Variable
Value
admin enable
Enables the policy.
WORD<1–32>
Specifies the IPsec policy name.
Creating an IPsec security association
Use the following procedure to create an IPsec security association. A security association (SA) is
a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a
particular direction. An SA contains the information IPsec needs to process an IP packet.
About this task
You cannot delete or modify a security association if the security association links to a policy. To
modify a parameter in the security association or to delete the security association, you must first
unlink the security association from a policy.
December 2017
Configuring Security on VOSS
236
IPsec configuration using CLI
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an IPsec security association:
ipsec security-association WORD<1–32>
3. (Optional) Delete an IPsec security association:
no ipsec security-association WORD<1–32>
Example
Create an IPsec security association named newsa:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec security-association newsa
Variable definitions
Use the data in the following table to use the ipsec security-association command.
Variable
Value
WORD<1–32>
Specifies the security association identifier.
Configuring an IPsec security association
Use the following procedure to configure an IPsec security association (SA). An SA is a group of
algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a particular
direction. An SA contains the information IPsec needs to process an IP packet.
Before you begin
• Create an IPsec security association to configure.
About this task
You cannot delete or modify a security association if the security association links to a policy. To
modify a parameter in the security association, or to delete the security association, you must first
unlink the security association from a policy. You can only unlink a security association from a
policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink
the policy from the interface, and then unlink the policy from the security association.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
December 2017
Configuring Security on VOSS
237
IPsec
2. Configure the IPsec security association key-mode:
ipsec security-association WORD<1–32> key-mode <automatic|manual>
This device only supports manual mode.
3. Configure the IPsec security association mode:
ipsec security-association WORD<1–32> mode <transport|tunnel>
This device only supports transport mode.
4. Configure the IPsec security association encapsulation protocol:
ipsec security-association WORD<1–32> encap–proto <AH|ESP>
5. Configure the IPsec security association security parameters index:
ipsec security-association WORD<1–32> spi <1-4294967295>
For IPsec to function, each peer must have the same SPI value configured on both peers
for a particular policy.
6. Configure the IPsec security association encryption algorithm:
ipsec security-association WORD<1–32> Encrpt-algo <3DES|AES-CBC|
AES-CTR|NULL> [EncrptKey WORD<1–256>][KeyLength <1–256>]
The encryption algorithm parameters are only accessible if you configure the
encapsulation protocol to ESP.
7. Configure the IPsec security association authentication algorithm:
ipsec security-association WORD<1–32> auth-algo <AES-XCBC-MAC|MD5|
SHA1|SHA2> [auth-key WORD<1–256>][KeyLength <1–256>]
8. Configure the IPsec security association lifetime value:
ipsec security-association WORD<1–32> lifetime
<Bytes<1-4294967295>|seconds<1-4294967295>
9. (Optional) Delete the IPsec security association:
no ipsec security-association WORD<1–32>
Example
Configure an IPsec security association named new_sa to have a key-mode of ASCII, an SA
mode of transport, and an encapsulation protocol of ESP. Configure the encryption algorithm to
3DES, with an encryption key of 111111111111111111111111, and a keylength of 24.
Configure the authorization algorithm to SHA1, the authorization key to
11111111111111111111, and key length to 20. Configure the SPI to 1 and the lifetime in
seconds to 1000.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec security-association newsa mode transport
Switch:1(config)#ipsec security-association newsa encap-proto ESP
Switch:1(config)#ipsec security-association newsa Encrpt-algo 3DES Encrpt-key
111111111111111111111111111111111111111111111111 KeyLength 48
December 2017
Configuring Security on VOSS
238
IPsec configuration using CLI
Switch:1(config)#ipsec security-association
11111111111111111111 KeyLength 20
Switch:1(config)#ipsec security-association
Switch:1(config)#ipsec security-association
Switch:1(config)#ipsec security-association
newsa auth-algo SHA1 auth-key
newsa key-mode manual
newsa spi 1
newsa lifetime seconds 1000
Variable definitions
Use the data in the following table to use the ipsec security-association command.
Variable
Value
WORD<1–32>
Specifies the security association.
auth-algo <AES-XCBC-MAC|MD5|SHA1|SHA2>
[auth-key WORD<1–256> ] [KeyLength <1–256>]
Specifies the authorization algorithm, which
includes one of the following values:
• AES-XCBC-MAC
• MD5
• SHA1
• SHA2
The default authentication algorithm name is MD5.
The parameter auth-key specifies the authentication
key.
The KeyLength parameter specifies a string value
of 1 to 256 characters in length. The default
KeyLength is 128. The KeyLength values are as
follows: 3DES is 48, AES-CBC is 32, 48, or 64,
AES-CTR is 32.
encap-proto <AH|ESP>
Specifies the encapsulation protocol:
• AH—Specifies authentication header.
• ESP—Specifies encapsulation security payload.
If you configure the encapsulation protocol as AH,
you cannot configure the encryption algorithms and
other encryption related attributes. You can only
access the encryption algorithm parameters if you
configure the encapsulation protocol to ESP.
The default value is ESP.
Encrpt-algo <3DES|AES-CBC|AES-CTR|NULL>
[EncrptKey WORD<1–256>] [KeyLength <1–256>]
Specifies the encryption algorithm value as one of
the following:
• 3DES-CBC
• AES-CBC
• AES-CTR
• NULL—Only use the NULL parameter to debug.
Do not use this parameter in other circumstances.
The default encryption algorithm is AES-CBC.
Table continues…
December 2017
Configuring Security on VOSS
239
IPsec
Variable
Value
You can only access the encryption algorithm
parameters if you configure the encapsulation
protocol to ESP.
The EncrptKey specifies the encryption key.
The KeyLength specifies the key length value in a
string from 1 to 256 characters. The default
KeyLength is 128. The KeyLength values are as
follows: 3DES is 48, AES-CBC is 32, 48, or 64,
AES-CTR is 32.
key-mode <automatic | manual>
Specifies the key-mode as one of the following:
• automatic
• manual
The default is manual.
lifetime <Bytes<1-4294967295> |
seconds<1-4294967295>
Specifies the lifetime value in seconds or bytes.
mode <transport | tunnel>
Specifies the mode value as one of the following:
The default lifetime value in seconds is 28800. The
default lifetime value in bytes is 4294966272.
• transport—Transport mode encapsulates the IP
payload and provides a secure connection
between two end points. This device only
supports transport mode.
• tunnel—Tunnel mode encapsulates the entire IP
packet and provides a secure tunnel. This device
does not support tunnel mode.
The default is transport mode.
spi<1-4294967295>
Specifies the security parameters index (SPI) value,
which is a unique value. SPI is a tag IPsec adds to
the IP header. The tag enables the system that
receives the IP packet to determine under which
security association to process the received packet.
For IPsec to function, each peer must have the
same SPI value configured on both peers for a
particular policy.
The default value is 0.
Configuring an IPsec policy
Use the following procedure to configure an IPsec policy. An IPsec policy defines the level of
security for different types of traffic.
December 2017
Configuring Security on VOSS
240
IPsec configuration using CLI
Before you begin
• Create an IPsec policy.
About this task
You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4
protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6, OSPFv3,
TCP, and UDP.
If you downgrade your software, the current IPsec configurations are no longer supported. You
must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
You cannot delete or modify a policy if the policy links to a security association, or if the policy links
to a port or VLAN interface. If you need to modify a policy you must first unlink the policy from the
security association, and the port or VLAN interface.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the remote address:
ipsec policy WORD<1–32> raddr WORD<1–32>
3. (Optional) Configure the local address:
ipsec policy WORD<1–32> laddr WORD<1–32>
The laddr parameter is an optional parameter that you can configure to have multiple
local addresses for each remote address.
4. Configure the protocol:
ipsec policy WORD<1–32>[protocol <icmp|icmpv6|ospfv3|tcp|udp>]
[sport<1–65535|any>][dport<1–65535|any>]
5. Configure the policy action:
ipsec policy WORD<1–32> [action <drop|permit>]
Example
Configure the remote address to 2001:db8:0:0:0:0:0:1 and local address to
2001:db8:0:0:0:0:0:15. configure the protocol to TCP source port 4 and destination port 5.
Configure the policy to permit.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy
Switch:1(config)#ipsec policy
Switch:1(config)#ipsec policy
Switch:1(config)#ipsec policy
December 2017
Ipv6policy
Ipv6policy
Ipv6policy
Ipv6policy
raddr 2001:db8:0:0:0:0:0:1
laddr 2001:db8:0:0:0:0:0:15
protocol tcp sport 4 dport 5
action permit
Configuring Security on VOSS
241
IPsec
Configure the remote address to 192.0.1.1 and local address to 192.0.1.2. configure the
protocol to TCP source port 4 and destination port 5. Configure the policy to drop.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy
Switch:1(config)#ipsec policy
Switch:1(config)#ipsec policy
Switch:1(config)#ipsec policy
Ipv4policy
Ipv4policy
Ipv4policy
Ipv4policy
raddr 192.0.1.1
laddr 192.0.1.2
protocol tcp sport 4 dport 5
action drop
Variable definitions
Use the data in the following table to use the ipsec policy command.
Variable
Value
action <drop|permit>
Specifies the action the policy takes.
The default is permit.
laddr WORD<1–32>
Specifies the local address. The laddr parameter is
an optional parameter that you can configure to
have multiple local addresses for each remote
address.
The default is 0::0.
protocol <icmp|icmpv6|ospfv3|tcp|udp>] [sport<1–
65535>|any>][dport<1–65535>|any>]
Specifies the protocol, as one of the following:
• ICMP
• ICMPv6
• OSPFv3
• TCP
• UDP
sport — Specifies the source port for TCP and UDP.
You can specify any to configure any port as the
source port.
dport — Specifies the destination port for TCP and
UDP. You can specify any to configure any port as
the destination port.
The default protocol is TCP any.
IPv4 only supports ICMP, UDP, and TCP.
raddr WORD<1–32>
Specifies the remote address.
The default is 0::0.
WORD<1–32>
Specifies the policy name.
Linking the IPsec security association to an IPsec policy
Use the following procedure to link the security association to an IPsec policy.
December 2017
Configuring Security on VOSS
242
IPsec configuration using CLI
Before you begin
• The IPsec security association and IPsec policy must exist.
About this task
You cannot delete or modify a security association if the security association links to a policy. To
modify a parameter in the security association, or to delete the security association, you must first
unlink the security association from the policy. You can only unlink a security association from a
policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink
the policy from the interface, and then unlink the policy from the security association.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Link the IPsec security association to the IPsec policy:
ipsec policy WORD<1–32> security-association WORD<1–32>
3. (Optional) Unlink the IPsec security association to the IPsec policy:
no ipsec policy WORD<1–32> security-association WORD<1–32>
Example
Link the IPsec security association named new_sa to the IPsec policy named newpolicy:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#ipsec policy newpolicy security-association newsa
Variable definitions
Use the data in the following table to use the ipsec policy command.
Variable
Value
WORD<1–32>
Specifies the policy ID.
security-association WORD<1–32>
Specifies the security association ID.
Enabling IPsec on an interface
Use the following procedure to enable IPsec on an interface. You can configure IPsec on a port,
management port, VLAN, or loopback interface.
Procedure
1. Enter Interface Configuration mode:
enable
configure terminal
December 2017
Configuring Security on VOSS
243
IPsec
followed by one of the following:
• interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
• interface loopback <1–256>
• interface mgmtEthernet <mgmt | mgmt2>
• interface vlan <1–4059>
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable IPsec on an IPv6 interface:
ipv6 ipsec enable
default ipv6 ipsec enable
3. Enable IPsec on an IPv4 interface:
ip ipsec enable
default ip ipsec enable
4. (Optional) Disable IPsec on an IPv6 interface:
no ipv6 ipsec enable
5. (Optional) Disable IPsec on an IPv4 interface:
no ip ipsec enable
Example
Enable IPsec for IPv6 on VLAN 100:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 100
Switch:1(config-if)#ipv6 ipsec enable
Variable definition
Use the data in the following table to use the ip ipsec and ipv6 ipsec commands.
Variable
Value
enable
Enables IPsec on the interface.
Linking an IPsec policy to an interface
Use the following procedure to link an IPsec policy to an interface, and configure a policy direction.
By default, the direction is both.
December 2017
Configuring Security on VOSS
244
IPsec configuration using CLI
Before you begin
• You must enable IPsec on the interface first, and then you link the IPsec policy to the
interface.
About this task
You cannot delete or modify an IPsec policy if the policy links to a port or VLAN interface. If you
need to modify the policy, first unlink the policy from the port or VLAN interface.
Procedure
1. Enter Interface Configuration mode:
enable
configure terminal
followed by one of the following:
• interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
• interface loopback <1–256>
• interface mgmtEthernet <mgmt | mgmt2>
• interface vlan <1–4059>
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Link the IPsec policy to an IPv4 interface:
ip ipsec policy WORD<1–32> dir <both|in|out>
3. Link the IPsec policy to an IPv6 interface:
ipv6 ipsec policy WORD<1–32> dir <both|in|out>
4. (Optional) Unlink the IPsec policy from an IPv4 interface:
no ip ipsec policy WORD<1–32> dir <both|in|out>
5. (Optional) Unlink the IPsec policy from an IPv6 interface:
no ipv6 ipsec policy WORD<1–32> dir <both|in|out>
Example
Link the IPsec policy newpolicy to the IPv6 interface VLAN 100:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface vlan 100
Switch:1(config-if)#ipv6 ipsec policy newpolicy dir both
December 2017
Configuring Security on VOSS
245
IPsec
Variable definitions
Use the data in the following table to use the ip ipsec policy and ipv6 ipsec policy
commands.
Variable
Value
WORD<1–32>
Specifies the policy ID.
dir <both|in|out>
Specifies the direction you want to protect with
IPsec:
• both—Specifies both ingress and egress traffic.
• in—Specifies ingress traffic.
• out—Specifies egress traffic.
The default is both.
Enabling IPsec on a management interface
Use the following procedure to enable IPsec on a management interface.
By default, IPsec is disabled on the management interface.
About this task
This procedure only applies to hardware with a dedicated, physical management interface.
Procedure
1. Enter mgmtEthernet Interface Configuration mode:
enable
configure terminal
interface mgmtEthernet <mgmt | mgmt2>
2. Enable IPsec on an IPv6 interface:
ipv6 ipsec enable
3. Enable IPsec on an IPv4 interface:
ip ipsec enable
Example
Enable IPsec for IPv4 on the management interface:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface mgmtEthernet mgmt
Switch:1(config-if)#ip ipsec enable
December 2017
Configuring Security on VOSS
246
IPsec configuration using CLI
Linking an IPsec policy to a management interface
Use the following procedure to link an IPsec policy to a management interface, and configure a
policy direction. By default, the direction is both.
About this task
This procedure only applies to hardware with a dedicated, physical management interface.
Before you begin
• You must enable IPsec on the interface first, and then you link the IPsec policy to the
interface.
Procedure
1. Enter mgmtEthernet Interface Configuration mode:
enable
configure terminal
interface mgmtEthernet <mgmt | mgmt2>
2. Link the IPsec policy to an IPv4 interface:
ip ipsec policy WORD<1–32> dir <both|in|out>
3. Link the IPsec policy to an IPv6 interface:
ipv6 ipsec policy WORD<1–32> dir <both|in|out>
4. (Optional) Unlink the IPsec policy from an IPv4 interface:
no ip ipsec policy WORD<1–32> dir <both|in|out>
5. (Optional) Unlink the IPsec policy from an IPv6 interface:
no ipv6 ipsec policy WORD<1–32> dir <both|in|out>
Example
Link the IPsec policy for IPv4 to the management interface:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface mgmtEthernet mgmt
Switch:1(config-if)#ip ipsec policy newpolicy dir both
Variable definitions
Use the data in the following table to use the ip ipsec policy and ipv6 ipsec policy
commands.
Variable
Value
WORD<1–32>
Specifies the policy ID.
Table continues…
December 2017
Configuring Security on VOSS
247
IPsec
Variable
Value
dir <both|in|out>
Specifies the direction you want to protect with
IPsec:
• both—Specifies both ingress and egress traffic.
• in—Specifies ingress traffic.
• out—Specifies egress traffic.
The default is both.
Displaying IPsec information on an interface
Use the following procedure to display IPsec information on an interface.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display the IPsec status on an Ethernet interface:
show ipsec interface gigabitethernet {slot/port[/sub-port] [-slot/
port[/sub-port]] [,...]}
3. Display the IPsec status on a VLAN interface:
show ipsec interface vlan <1-4059>
4. Display the IPsec status on a management interface:
show ipsec interface mgmtethernet mgmt
Note:
This step applies to hardware that includes a physical management interface.
5. Display the IPsec status on a loopback interface:
show ipsec interface loopback <1–256>
Example
Display the IPsec status on a VLAN interface.
Switch:1>show ipsec interface vlan 22
========================================================================================
==
VLAN Interface Policy Table
========================================================================================
==
Vlan Interface
Policy Name
IPsec State
Direction
----------------------------------------------------------------------------------------22
AAA
Enable
both
22
tcp
Enable
both
22
icmp
Enable
both
December 2017
Configuring Security on VOSS
248
IPsec configuration using CLI
Variable definitions
Use the data in the following table to use the show ipsec interface command.
Variable
Value
gigabitethernet {slot/port[/sub-port] [-slot/port[/subport]] [,...]}
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
mgmtethernet mgmt
Identifies the interface as the management
interface.
loopback <1–256>
Specifies the loopback interface.
vlan <1-4059>
Specifies the VLAN ID in the range of 1 to 4059. By
default, VLAN IDs 1 to 4059 are configurable and
the system reserves VLAN IDs 4060 to 4094 for
internal use. On switches that support the vrfscaling and spbm-config-mode boot configuration
flags, if you enable these flags, the system also
reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the
default VLAN and you cannot create or delete
VLAN ID 1.
Job aid
The following table describes the fields in the output for the show ipsec interface vlan
command.
Parameter
Description
Vlan Interface
Specifies the VLAN interface.
Policy Name
Specifies the IPsec policy that associates with the
specific VLAN or VLANs.
IPsec State
Specifies whether the IPsec policy is enabled on the
VLAN interface.
Direction
Specifies the policy direction.
The following table describes the fields in the output for the show ipsec interface
gigabitethernet command.
Parameter
Description
Interface
Specifies the interface.
Policy Name
Specifies the IPsec policy that associates with the
specific port or ports.
Table continues…
December 2017
Configuring Security on VOSS
249
IPsec
Parameter
Description
IPsec State
Specifies whether the IPsec policy is enabled on the
interface.
Direction
Specifies the policy direction.
The following table describes the fields in the output for the show ipsec interface
mgmtethernet command.
Parameter
Description
Interface
Specifies the VLAN interface.
Policy Name
Specifies the IPsec policy that associates with the
management port.
IPsec State
Specifies whether the IPsec policy is enabled on the
interface.
Direction
Specifies the policy direction.
The following table describes the fields in the output for the show ipsec interface
loopback command.
Parameter
Description
LoopBack Interface
Specifies the loopback interface.
Policy Name
Specifies the IPsec policy that associates with the
interface.
IPsec State
Specifies whether the IPsec policy is enabled on the
interface.
Direction
Specifies the policy direction.
Displaying configured IPsec policies
Use the following procedure to display IPsec policies.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display all of the IPsec policies on the switch:
show ipsec policy all
3. Display a specific IPsec policy based on the policy name on the interface:
show ipsec policy interface WORD<1–32>
4. Display the IPsec policy based on the policy name:
show ipsec policy name WORD<1–32>
December 2017
Configuring Security on VOSS
250
IPsec configuration using CLI
Example
Display IPsec policy information:
Switch:1>show ipsec policy all
=========================================================================
IPSEC Policy Table
=========================================================================
PolicyName
: ospf1
LocalAddress: 0::0
RemoteAddress: 0::0
Protocol: ospfv3
src-port: 0
dest-port: 0
Action: Permit
Admin: Enable
Switch:1>show ipsec policy interface ospf1
=========================================================================
IPsec Policy Interface Table
=========================================================================
------------------------------------------------------------------------POLICY NAME
InterfaceIndex
Policy State
Direction
------------------------------------------------------------------------ospf1
2/3
Enable
both
Switch:1>show ipsec policy name ospf1
=========================================================================
IPSEC Policy Table
=========================================================================
PolicyName
: ospf1
LocalAddress: 0::0
RemoteAddress: 0::0
Protocol: ospfv3
src-port: 0
dest-port: 0
Action: Permit
Admin: Enable
Variable definitions
Use the data in the following table to use the show ipsec policy command.
Variable
Value
all
Displays all of the IPsec policies on the switch.
interface WORD<1–32>
Displays a specific IPsec policy based on the policy
name on the interface.
name WORD<1–32>
Displays the IPsec policy based on the name of the
policy.
Job aid
The following table describes the fields in the output for the show ipsec policy all and
show ipsec policy name commands.
December 2017
Configuring Security on VOSS
251
IPsec
Parameter
Description
PolicyName
Specifies the IPsec policy name.
LocalAddress
Specifies the local address. The default is 0::0.
RemoteAddress
Specifies the remote address. The default is 0::0.
Protocol
Specifies the protocol.
src-port
Specifies the source port.
dest-port
Specifies the destination port.
Action
Specifies the action as either: permit or drop.
Admin
Specifies whether the policy is enabled.
The following table describes the fields in the output for the show ipsec policy interface
command.
Parameter
Description
POLICY NAME
Specifies the IPsec policy name.
InterfaceIndex
Specifies the interface.
Policy State
Specifies whether the policy is enabled.
Displaying IPsec security association information
Use the following procedure to display IPsec security association information.
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all IPsec security associations:
show ipsec sa all
3. Display a specific IPsec security association:
show ipsec sa name WORD<1–32>
4. Display all security associations linked to a specific policy:
show ipsec sa-policy
Example
Display information on IPsec security association policies:
Switch:1>enable
Switch:1#show ipsec sa all
=========================================================================
IPSEC Security Association Table
=========================================================================
sa-name: ospf1
key-Mode: manual
December 2017
Configuring Security on VOSS
252
IPsec configuration using CLI
Encap protocol: ESP
SPI Value: 9
Encrypt Algorithm: 3dec-cbc
Encrypt-key: 52fb29f723b0800870dc83e3
Encrypt-key-Len: 24
Auth Algorithm: hmac-md5
Auth-key: 123456789abcdef0
Auth-key-Len: 16
Mode: transport
Lifetime-Sec: 1000
Lifetime-Byte: 20000
Switch:1#show ipsec sa name ospf1
=========================================================================
IPSEC Security Association Table
=========================================================================
sa-name: ospf1
key-Mode: manual
Encap protocol: ESP
SPI Value: 9
Encrypt Algorithm: 3dec-cbc
Encrypt-key: 52fb29f723b0800870dc83e3
Encrypt-key-Len: 24
Auth Algorithm: hmac-md5
Auth-key: 123456789abcdef0
Auth-key-Len: 16
Mode: transport
Lifetime-Sec: 1000
Lifetime-Byte: 20000
Switch:1#show ipsec sa-policy
=========================================================================
SA POLICY TABLE
=========================================================================
Policy Name
Security Association
------------------------------------------------------------------------ospf1
ospf1
-------------------------------------------------------------------------
Variable definitions
Use the data in the following table to use the show ipsec sa command.
Variable
Value
all
Displays all security associations.
name WORD<1–32>
Displays a specific security association based on
name.
Use the data in the following table to use the show ipsec command.
Variable
Value
sa-policy
Displays all security associations linked to a specific
policy.
December 2017
Configuring Security on VOSS
253
IPsec
Job aid
The following table describes the fields in the output for the show ipsec sa all and show
ipsec saname commands.
Parameter
Description
sa-name
Specifies all of the IPsec security association
names.
key-Mode
Specifies the key mode as manual or automatic.
The default is automatic.
Encap protocol
Specifies the encapsulation protocol.
SPI Value
Specifies the SPI value, which is a tag added to the
IP header. For IPsec to function, each peer must
have the same SPI value configured on both peers
for a particular policy.
Encrypt Algorithm
Specifies the encrypt algorithm as one of the
following:
• 3DES-CBC
• AES-CBC
• AES-CTR
• NULL—Only used to debug.
Encrypt-key
Specifies the encrypt-key parameter for the
authentication key in either:
• hex– Specifies hexadecimal.
• ascii–Specifies ASCII, the American Standard
Code for Information Interchange character
encoding scheme.
Encrypt-key-Len
Specifies the key length value in a string from 1 to
256 characters. The default KeyLength is 128.
Mode
Specifies the mode value as one of the following:
• tunnel—Tunnel mode encapsulates the entire IP
packet and provides a secure tunnel. This device
does not support tunnel mode.
• transport—Transport mode encapsulates the IP
payload and provides a secure connection
between two endpoints. This device only supports
transport mode.
The default is transport mode.
Lifetime-Sec
Specifies the lifetime value in seconds. The default
is 28800.
Lifetime-Byte
Specifies the lifetime value in bytes. The default is
4294966272.
December 2017
Configuring Security on VOSS
254
IPsec configuration using EDM
The following table describes the fields in the output for the show ipsec sa-policy command.
Parameter
Description
Policy Name
Specifies the IPsec policy name.
Security Association
Specifies the security association name.
IPsec configuration using EDM
The following section provides procedures to configure Internet Protocol security (IPsec).
Creating an IPsec policy
Use the following procedure to configure an IPsec policy for an IPv4 or an IPv6 interface. An IPsec
policy defines the level of security for different types of traffic.
Note:
• You can only configure the IPsec policies for IPv4 addresses for UDP, TCP, and ICMPv4
protocols. You can continue to configure IPsec policies for IPv6 addresses for ICMPv6,
OSPFv3, TCP, and UDP.
• If you downgrade your software, the current IPsec configurations are no longer
supported. You must boot with the factory default settings for IPsec, and then reconfigure
the IPsec features.
About this task
You cannot delete or modify a policy if the policy links to a security association, or if the policy links
to a port or VLAN interface. If you need to modify a policy you must first unlink the policy from the
security association, and the port or VLAN interface.
Procedure
1. In the navigation pane, expand the Configuration > Security > Control Path folders.
2. Click IPSec.
3. Click the Policy tab.
4. Click Insert.
5. In the Name field, type a policy name.
6. Complete the remaining optional configuration to customize the policy.
7. Click Insert.
Policy field descriptions
Use the data in the following table to use the Policy tab.
December 2017
Configuring Security on VOSS
255
IPsec
Name
Description
Name
Specifies the IPsec policy name.
DstAddress
Specifies the remote address. This field accepts
IPv4 and IPv6 address, depending on the selected
source address type.
SrcAddress
Specifies the local address. The local address is
optional that you can configure to have multiple
local addresses for each remote (destination)
address.
This field accepts IPv4 and IPv6 address,
depending on the selected source address type.
SrcPort
Specifies the source port for TCP and UDP. Leave
this field empty to configure any port as the source
port. The default is value is 1.
DstPort
Specifies the destination port for TCP and UDP.
Leave this field empty to configure any port as the
destination port. The default value is 1.
AdminFlag
Enables or disables the policy. The default is
disabled.
L4Protocol
Specifies the protocol, as one of the following:
• tcp
• udp
• icmp
• icmpv6
• ospfv3
IPv4 interfaces only support TCP, UDP, and ICMP.
The default is TCP.
Action
Specifies the action the policy takes. The default is
to permit the packet.
Creating an IPsec security association
Use the following procedure to create an IPsec security association. A security association (SA) is
a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a
particular direction. An SA contains the information IPsec needs to process an IP packet.
About this task
You cannot delete or modify a security association if the security association links to a policy. To
modify a parameter in the security association or to delete the security association, you must first
unlink the security association from a policy.
December 2017
Configuring Security on VOSS
256
IPsec configuration using EDM
You can only unlink a security association from a policy if the policy does not link to an interface. If
a policy links to an interface, you must first unlink the policy from the interface, and then unlink the
policy from the security association.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IPSec.
3. Click the Security Association tab.
4. Click Insert.
5. In the Name field, type a name to identify the SA.
6. In the SPI field, type the security parameters index.
Note:
For IPsec to function, each peer must have the same SPI value configured for a
particular policy.
7. Complete the remaining optional configuration.
8. Click Insert.
Security Association field descriptions
Use the data in the following table to use the Security Association tab.
Name
Description
Name
Specifies the name of the security association.
Spi
Specifies the security parameters index (SPI) value,
which is a unique value. SPI is a tag IPsec adds to
the IP header. The tag enables the system that
receives the IP packet to determine under which
security association to process the received packet.
For IPsec to function, each peer must have the
same SPI value configured for a particular policy.
The default value is 0.
HashAlgorithm
Specifies the authorization algorithm, which
includes one of the following values:
• AESXCBC
• MD5
• SHA1
• SHA2
The default authentication algorithm name is MD5.
Table continues…
December 2017
Configuring Security on VOSS
257
IPsec
Name
Description
EncryptAlgorithm
Specifies the encryption algorithm value as one of
the following:
• DES3CBC
• AES128CBC
• AESCTR
• NULL—Only use the NULL parameter to debug.
Do not use this parameter in any other
circumstance.
The default encryption algorithm is AES128CBC.
You can only access the encryption algorithm
parameters if you configure the encapsulation
protocol to ESP.
AuthMethod
Specifies the encapsulation protocol:
• ah—Specifies authentication header.
• es—Specifies encapsulation security payload.
If you configure the encapsulation protocol as ah,
you cannot configure the encryption algorithms and
other encryption related attributes. You can only
access the encryption algorithm parameters if you
configure the encapsulation protocol to es.
The default value is es.
Mode
Specifies the mode value as one of the following:
• transport—Transport mode encapsulates the IP
payload and provides a secure connection
between two end points. This device only
supports transport mode.
• tunnel—Tunnel mode encapsulates the entire IP
packet and provides a secure tunnel. This device
does not support tunnel mode.
The default is transport mode.
KeyMode
Specifies the key-mode as one of the following:
• manual
• auto
The default is manual.
EncryptKeyName
Specifies the encryption key.
EncryptKeyLength
Specifies the numbers of bits used in the encryption
key. The key length values are as follows:
• DES3CBC is 48
Table continues…
December 2017
Configuring Security on VOSS
258
IPsec configuration using EDM
Name
Description
• AES128CBC is 32, 48, 64
• AESCTR is 32
HashKeyName
Specifies the authentication key.
HashKeyLength
Specifies the numbers of bits used in the hash key.
The key length values are as follows:
• AESXCBC is 32
• MD5 is 32
• SHA1 is 40
LifetimeSeconds
Specifies the lifetime value in seconds. The lifetime
determines the traffic that can pass between IPsec
peers using a security association before that
security association expires.
The default lifetime value in seconds is 28800.
LifetimeBytes
Specifies the lifetime value in bytes. The lifetime
determines the traffic that can pass between IPsec
peers using a security association before that
security association expires.
The default lifetime value in bytes is 4294966272.
Linking the IPsec security association to an IPsec policy
Use the following procedure to link the security association to an IPsec policy.
About this task
You cannot delete or modify a security association if the security association links to a policy. To
modify a parameter in the security association, or to delete the security association, you must first
unlink the security association from the policy. You can only unlink a security association from a
policy if the policy does not link to an interface. If a policy links to an interface, you must first unlink
the policy from the interface, and then unlink the policy from the security association.
Before you begin
• The IPsec security association and IPsec policy must exist.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IPSec.
3. Click the Policy SA Link tab.
4. Click Insert.
5. In the PolicyName field, type the IPsec policy name.
December 2017
Configuring Security on VOSS
259
IPsec
6. In the SAName field, type the security association name.
7. Click Insert.
Policy SA Link field descriptions
Use the data in the following table to use the Policy SA Link tab.
Name
Description
PolicyName
Specifies the name of the IPsec policy.
SAName
Specifies the name of the security association.
Enabling IPsec on an IPv6 interface
Use the following procedure to enable IPsec on an IPv6 interface.
Note:
If you downgrade your software, the current IPsec configurations are no longer supported. You
must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
Procedure
1. In the navigation pane, expand the following folder: Configuration > Security > Control
Path.
2. Click IPSec.
3. Click the IPv6 Interfaces tab.
4. In the IpsecEnable column, double-click in the IpsecEnable field, and select enable from
the drop-down box.
5. Click Apply.
Enabling IPsec on an IPv4 interface
Use the following procedure to enable IPsec on an IPv4 interface.
Note:
If you downgrade your software, the current IPsec configurations are no longer supported. You
must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
Procedure
1. In the navigation pane, expand the following folder: Configuration > Security > Control
Path.
2. Click IPSec.
December 2017
Configuring Security on VOSS
260
IPsec configuration using EDM
3. Click the IPv4 Interfaces tab.
4. In the IpsecEnable column, double-click in the IpsecEnable field, and select enable from
the drop-down box.
5. Click Apply.
IPv4 Interfaces tab field descriptions
Use the data in the following table to use the IPv4 Interfaces tab.
Name
Description
Interface
Specifies the interface.
IpsecEnable
Specifies if IPsec is enabled on that particular
interface.
Linking an IPsec policy to an interface
Use the following procedure to link an IPsec policy to an interface, and configure a policy direction.
By default, the direction is both.
About this task
You cannot delete or modify an IPsec policy if the policy links to a port or VLAN interface. If you
need to modify the policy, first unlink the policy from the port or VLAN interface.
Before you begin
• You must enable IPsec on the interface first, and then you link the IPsec policy to the
interface.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IPSec.
3. Click the Interface Policy tab.
4. Click Insert.
5. In the Name field, type the name of the IPsec policy.
6. In the IfIndex field, click either Port , Vlan, or Mgmt Port, and then select an interface.
Note:
The Mgmt Port button only appears for hardware with a dedicated, physical
management interface. If you click this button, EDM automatically populates the
IfIndex value.
7. Click Okay.
8. Complete the remaining optional configuration.
December 2017
Configuring Security on VOSS
261
IPsec
9. Click Insert.
Interface Policy field descriptions
Use the data in the following table to use the Interface Policy tab.
Name
Description
Name
Specifies the IPsec policy name.
IfIndex
Links a policy to either a port, VLAN, loopback, or
management interface.
IfEnabled
Shows if the IPsec is enabled on the interface and if
the administrative state of the policy is enabled.
IfDirection
Specifies the direction you want to protect with
IPsec:
• inbound—Specifies ingress traffic.
• outbound—Specifies egress traffic.
• bothDirections—Specifies both ingress and
egress traffic.
The default is bothDirections.
Displaying IPsec interface statistics
Use this procedure to view IPsec statistics and counter values for each IPsec-enabled interface.
About this task
If you select an interface on the Stats tab, you can click Graph to graph particular statistics for
that interface.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IPSec.
3. Click the Interface Stats tab.
Interface Stats field descriptions
Use the data in the following table to use the Interface Stats tab.
Name
Description
IfIndex
Shows the interface index for which the statistic is
captured.
Table continues…
December 2017
Configuring Security on VOSS
262
IPsec configuration using EDM
Name
Description
InSuccesses
Specifies the number of ingress packets IPsec
successfully carries.
InSPViolations
Specifies the number of ingress packets IPsec
discards since boot time because of a security
policy violation.
InNotEnoughMemories
Specifies the number of ingress packets IPsec
discards since boot time because not enough
memory is available.
InAHESPReplays
Specifies the number of ingress packets IPsec
discards since boot time because the AH replay
check fails.
InESPReplays
Specifies the number of ingress packets IPsec
discards since boot time because the ESP replay
check fails.
InAHFailures
Specifies the number of ingress packets IPsec
discards since boot time because the AH
authentication check fails.
InESPFailures
Specifies the number of ingress packets IPsec
discards since boot time because the ESP
authentication check fails.
OutSuccesses
Specifies the number of egress packets IPsec
successfully carries since boot time.
OutSPViolations
Specifies the number of egress packets IPsec
discards since boot time because a security policy
violation occurs.
OutNotEnoughMemories
Specifies the number of egress packets IPsec
discards since boot time because not enough
memory is available since boot time.
generalError
Specifies a general error.
InAhSuccesses
Specifies the number of ingress packets IPsec
carries because the AH authentication succeeds.
OutAHSuccesses
Specifies the number of egress packets IPsec
successfully carries since boot time.
InESPSuccesses
Specifies the number of ingress packets IPsec
carries since boot time because the ESP
authentication succeeds.
OutESPSuccesses
Specifies the number of egress packets IPsec
successfully carries since boot time.
OutKBytes
Specifies the total number of kilobytes on egress.
OutBytes
Specifies the total number of bytes on egress.
InKBytes
Specifies the total number of bytes on ingress.
Table continues…
December 2017
Configuring Security on VOSS
263
IPsec
Name
Description
InBytes
Specifies the total number of bytes on ingress.
TotalPacketsProcessed
Specifies the total number of packets processed.
TotalPacketsByPassed
Specifies the total number of packets bypassed.
OutAHFailures
Specifies the number of egress packets IPsec
discards since boot time because the AH
authentication check fails.
OutESPFailures
Specifies the number of egress packets IPsec
discards since boot time because the ESP
authentication check fails.
InMD5Hmacs
Specifies the number of inbound HMAC MD5
occurrences since boot time.
InSHA1Hmacs
Specifies the number of inbound HMAC SHA1
occurrences since boot time.
InAESXCBCs
Specifies the number of inbound AES XCBC MAC
occurrences since boot time.
InAnyNullAuth
Specifies the number of inbound null authentication
occurrences since boot time.
In3DESCBCs
Specifies the number of inbound 3DES CBC
occurrences since boot time.
InAESCBCs
Specifies the number of inbound AES CBC
occurrences since boot time.
InAESCTRs
Specifies the number of inbound AES CTR
occurrences since boot time.
InAnyNulEncrypt
Specifies the number of inbound null occurrences
since boot time. Used for debugging purposes.
OutMD5Hmacs
Specifies the number of outbound HMAC MD5
occurrences since boot time.
OutSHA1Hmacs
Specifies the number of outbound HMAC SHA1
occurrences since boot time.
OutAESXCBCs
Specifies the number of outbound AES XCBC MAC
occurrences since boot time.
OutInAnyNullAuth
Specifies the number of outbound null
authentication occurrences since boot time.
Out3DESCBCs
Specifies the number of outbound 3DES CBC
occurrences since boot time.
OutAESCBCs
Specifies the number of outbound AES CBC
occurrences since boot time.
OutAESCTRs
Specifies the number of outbound AES CTR
occurrences since boot time.
OutInAnyNullEncrypt
Specifies the number of outbound null occurrences
since boot time. Used for debugging purposes.
December 2017
Configuring Security on VOSS
264
IPsec configuration using EDM
Displaying switch level statistics for IPsec-enabled interfaces
Use this procedure to view IPsec statistics and counter values at the switch level for all IPsecenabled interfaces.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IPSec.
3. Click the Global Stats tab.
Global Stats field descriptions
Use the data in the following table to use the Global Stats tab.
Name
Description
InSuccesses
Specifies the number of ingress packets IPsec
successfully carries.
InSPViolations
Specifies the number of ingress packets IPsec
discards since boot time because of a security
policy violation.
InNotEnoughMemories
Specifies the number of ingress packets IPsec
discards since boot time because not enough
memory is available.
InAHESPReplays
Specifies the number of ingress packets IPsec
discards since boot time because the AH replay
check fails.
InESPReplays
Specifies the number of ingress packets IPsec
discards since boot time because the ESP replay
check fails.
InAHFailures
Specifies the number of ingress packets IPsec
discards since boot time because the AH
authentication check fails.
InESPFailures
Specifies the number of ingress packets IPsec
discards since boot time because the ESP
authentication check fails.
OutSuccesses
Specifies the number of egress packets IPsec
successfully carries since boot time.
OutSPViolations
Specifies the number of egress packets IPsec
discards since boot time because a security policy
violation occurs.
Table continues…
December 2017
Configuring Security on VOSS
265
IPsec
Name
Description
OutNotEnoughMemories
Specifies the number of egress packets IPsec
discards since boot time because not enough
memory is available since boot time.
generalError
Specifies a general error.
InAHSuccesses
Specifies the number of ingress packets IPsec
carries because the AH authentication succeeds.
OutAHSuccesses
Specifies the number of egress packets IPsec
successfully carries since boot time.
InESPSuccesses
Specifies the number of ingress packets IPsec
carries since boot time because the ESP
authentication succeeds.
OutESPSuccesses
Specifies the number of egress packets IPsec
successfully carries since boot time.
OutKBytes
Specifies the total number of kilobytes on egress.
OutBytes
Specifies the total number of bytes on egress.
InKBytes
Specifies the total number of bytes on ingress.
InBytes
Specifies the total number of bytes on ingress.
TotalPacketsProcessed
Specifies the total number of packets processed.
TotalPacketsByPassed
Specifies the total number of packets bypassed.
OutAHFailures
Specifies the number of egress packets IPsec
discards since boot time because the AH
authentication check fails.
OutESPFailures
Specifies the number of egress packets IPsec
discards since boot time because the ESP
authentication check fails.
InMD5Hmacs
Specifies the number of inbound HMAC MD5
occurrences since boot time.
InSHA1Hmacs
Specifies the number of inbound HMAC SHA1
occurrences since boot time.
InAESXCBCs
Specifies the number of inbound AES XCBC MAC
occurrences since boot time.
InAnyNullAuth
Specifies the number of inbound null authentication
occurrences since boot time.
In3DESCBCs
Specifies the number of inbound 3DES CBC
occurrences since boot time.
InAESCBCs
Specifies the number of inbound AES CBC
occurrences since boot time.
InAESCTRs
Specifies the number of inbound AES CTR
occurrences since boot time.
Table continues…
December 2017
Configuring Security on VOSS
266
IPsec configuration using EDM
Name
Description
InAnyNulEncrypt
Specifies the number of inbound null occurrences
since boot time. Used for debugging purposes.
OutMD5Hmacs
Specifies the number of outbound HMAC MD5
occurrences since boot time.
OutSHA1Hmacs
Specifies the number of outbound HMAC SHA1
occurrences since boot time.
OutAESXCBCs
Specifies the number of outbound AES XCBC MAC
occurrences since boot time.
OutInAnyNullAuth
Specifies the number of outbound null
authentication occurrences since boot time.
Out3DESCBCs
Specifies the number of outbound 3DES CBC
occurrences since boot time.
OutAESCBCs
Specifies the number of outbound AES CBC
occurrences since boot time.
OutAESCTRs
Specifies the number of outbound AES CTR
occurrences since boot time.
OutInAnyNullEncrypt
Specifies the number of outbound null occurrences
since boot time. Used for debugging purposes.
Configuring IPsec for the OSPF virtual link
Use the following procedure to configure and enable IPsec for the OSPF virtual link.
IPsec is disabled by default.
About this task
Until you enable IPsec on both sides of the virtual links, the links cannot exchange OSPFv3
control messages, and the system drops OSPFv3 exchange packets.
You must disable IPsec before you can perform virtual link policy configuration changes.
Before you begin
• Configure the OSPF virtual link.
• Create the IPsec security association.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Panel.
2. Click IPSec.
3. Click the OSPF Virtual Link tab.
4. Click Insert.
5. Specify the area ID.
December 2017
Configuring Security on VOSS
267
IPsec
6. Specify the neighbor address.
7. Complete the remaining optional configuration.
8. Click Insert.
OSPF Virtual Link field descriptions
Use the data in the following table to use the OSPF Virtual Link tab.
Name
Description
AreaId
Identifies the OSPF virtual link area.
Neighbor
Identifies the OSPF virtual link neighbor.
SAName
Links the security association to the OSPF virtual
link.
AdminStatus
Enables the policy. The default is disabled.
Action
Configures the action of the IPsec policy under the
OSPF virtual tunnel to one of the following:
• permit—Permits the IP packets.
• drop—Drops the IP packets.
The default is permit.
Direction
Specifies the direction you want to protect with
IPsec:
• inBound—Specifies ingress traffic.
• outBound—Specifies egress traffic.
• bothDirections—Specifies both ingress and
egress traffic.
The default is bothDirections.
SrcAddress
Shows the address of the source interface to which
the policy applies.
DstAddress
Shows the address of the destination interface to
which the policy applies.
LinkID
Shows a unique ID for the OSPF virtual link. The
default is 0.
IfIndex
Shows the interface index to which OSPF virtual
link the policy applies.
OperStatus
Shows the operational status of the link, either up or
down. The default is down.
December 2017
Configuring Security on VOSS
268
IPsec configuration examples
IPsec configuration examples
The following section provides examples to configure Internet Protocol Security (IPsec).
Note:
If you downgrade your software, the current IPsec configurations are no longer supported. You
must boot with the factory default settings for IPsec, and then reconfigure the IPsec features.
IPsec configuration example
Review the following information to understand IPsec configuration.
Use the following steps to configure IPsec.
1. Create and configure an IPsec policy.
2. Enable the policy.
3. Create an IPsec security association to correspond with the IPsec policy.
4. Configure the key mode format.
5. Configure the security association.
6. Link the IPsec security association to the IPsec policy.
7. Enable the IPsec policy on the interface.
8. Link the IPsec policy with the interface.
9. Enable the IPsec on the interface that links to the IPsec policy.
For an example configuration and for more information on IPsec OSPFv3 and OSPFv3 virtual link,
see Configuring IPv6 Routing.
Create a policy named newpolicy with a security association named new_sa on VLAN 100.
The following displays the IPsec policy configuration:
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
newpolicy
newpolicy
newpolicy
newpolicy
raddr 2001:db8:0:0:0:0:0:1
laddr 2001:db8:0:0:0:0:0:15
protocol tcp sport 4 dport 5
action permit
The following example displays the IPsec security association:
ipsec security-association new_sa
ipsec security-association new_sa key-mode manual
ipsec security-association new_sa mode transport
ipsec security-association new_sa encap-proto ESP
ipsec security-association new_sa Encrpt-algo 3DES-CBC encrypt-key
111111111111111111111111 KeyLength 24
ipsec security-association new_sa auth-algo SHA1 auth-key 11111111111111111111
KeyLength 20
ipsec security-association new_sa spi 1
ipsec security-association new_sa lifetime seconds 1000
December 2017
Configuring Security on VOSS
269
IPsec
IPsec with ICMPv6 configuration example
The following displays configuration of IPsec with ICMPv6.
Figure 22: IPsec configuration with ICMPv6
Switch 10 security association configuration
The following example displays the configuration of the security association on Switch 10.
ipsec security-association icmp
ipsec security-association icmp encap-proto ESP
ipsec security-association icmp mode transport
ipsec security-association icmp spi 1
ipsec security-association icmp auth-algo SHA1 auth-key
1234567890123456789012345678901234567890 keyLength 40
ipsec security-association icmp Encrpt-algo AES-CBC EncrptKey
12345678901234567890123456789012 keyLength 32
ipsec security-association icmp key-mode manual
ipsec security-association icmp lifetime seconds 1
ipsec security-association icmp lifetime bytes 1
Switch 10 policy configuration
The following example displays the configuration of the security policy on Switch 10.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
admin enable
raddr 2001::2
laddr 2001::1
protocol icmpv6
action permit
security-association icmp
Switch 10 interface configuration
The following example displays the configuration of IPsec on slot/port 1/10.
interface gigabitEthernet 1/10
no shut
interface vlan 3
interface address 2000::1
interface enable
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable
December 2017
Configuring Security on VOSS
270
IPsec configuration examples
Switch 10 VLAN configuration
The following example displays the creation and configuration of VLAN 3 with IPsec.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
interface enable
interface address 2000::1
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable
Switch 30 security association configuration
The following example displays the configuration of the security association on Switch 30.
ipsec security-association icmp
ipsec security-association icmp encap-proto ESP
ipsec security-association icmp mode transport
ipsec security-association icmp spi 1
ipsec security-association icmp auth-algo SHA1 auth-key
1234567890123456789012345678901234567890 keyLength 40
ipsec security-association icmp Encrpt-algo AES-CBC EncrptKey
12345678901234567890123456789012 keyLength 32
ipsec security-association icmp key-mode manual
ipsec security-association icmp lifetime seconds 1
ipsec security-association icmp lifetime bytes 1
Switch 30 policy configuration
The following example displays the configuration of the security policy on Switch 30.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
ICMP_Policy
admin enable
raddr 2001::1
laddr 2001::2
action permit
protocol icmpv6
security-association icmp
Switch 30 interface configuration
The following example displays the configuration of IPsec on slot/port 1/10.
interface gigabitEthernet 1/10
no shut
ipv6 interface enable
ipv6 interface vlan 3
ipv6 interface address 2001::2
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable
Switch 30 VLAN configuration
The following example displays the creation and configuration of VLAN 3 with IPsec.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 0
vlan members add 3 1/20
interface vlan 3
ipv6 interface enable
December 2017
Configuring Security on VOSS
271
IPsec
ipv6 interface address 2001::2
ipv6 ipsec policy ICMP_Policy dir both
ipv6 ipsec enable
OSPFv3 IPsec configuration example
The following example displays a network using IPsec used with OSPFv3.
The following example displays the configuration of IPsec with OSPFv3. For OSPFv3 conceptual
and procedural information, see Configuring IPv6 Routing.
Switch 10 security associations
The following example displays the configuration of security associations for OSPFv3 for Switch
10.
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
encap-proto ESP
mode transport
spi 1
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf2
ipsec security-association ospf2
ipsec security-association ospf2
ipsec security-association ospf2
ipsec security-association ospf2
12345678901234567890123456789012
ipsec security-association ospf2
12345678901234567890123456789012
ipsec security-association ospf2
ipsec security-association ospf2
ipsec security-association ospf2
encap-proto ESP
mode transport
spi 2
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec
ipsec
ipsec
ipsec
security-association
security-association
security-association
security-association
December 2017
ospf3
ospf3 encap-proto ESP
ospf3 mode transport
ospf3 spi 3
Configuring Security on VOSS
272
IPsec configuration examples
ipsec security-association ospf3
12345678901234567890123456789012
ipsec security-association ospf3
12345678901234567890123456789012
ipsec security-association ospf3
ipsec security-association ospf3
ipsec security-association ospf3
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
12345678901234567890123456789012
ipsec security-association ospf4
12345678901234567890123456789012
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
encap-proto ESP
mode transport
spi 4
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf5
ipsec security-association ospf5
ipsec security-association ospf5
ipsec security-association ospf5
ipsec security-association ospf5
12345678901234567890123456789012
ipsec security-association ospf5
12345678901234567890123456789012
ipsec security-association ospf5
ipsec security-association ospf5
ipsec security-association ospf5
encap-proto ESP
mode transport
spi 5
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
12345678901234567890123456789012
ipsec security-association ospf6
12345678901234567890123456789012
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
encap-proto ESP
mode transport
spi 6
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
Switch 10 policy configuration
The following example displays the configuration of policies on Switch 10. The link local address is
fe80:0:0:0:b2ad:aaff:fe43:100 and the remote link local address is fe80:0:0:0:b2ad:aaff:fe43:4d00.
The following displays the policy with the laddr configured to the link local address and raddr
configured to the remote link local address, with the direction configured as outbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf1
ospf1
ospf1
ospf1
ospf1
ospf1
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
laddr fe80:0:0:0:b2ad:aaff:fe43:100
protocol ospfv3
action permit
The following example displays the configuration of policies on Switch 10. The link local address is
fe80:0:0:0:b2ad:aaff:fe43:100 and the remote link local address is fe80:0:0:0:b2ad:aaff:fe43:4d00.
The following displays the policy with the laddr configured to the link local address and raddr
configured to the remote link local address, with the direction configured as inbound.
December 2017
Configuring Security on VOSS
273
IPsec
For a policy direction of inbound, laddr and raddr are reversed before storing to the stack.
Because of this, even though the policy requires you to configure the laddr as the remote link local
address, you need to configure laddr as the link local address in the configuration.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf2
ospf2
ospf2
ospf2
ospf2
ospf2
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
laddr fe80:0:0:0:b2ad:aaff:fe43:100
protocol ospfv3
action permit
Laddr is configured to the link local and raddr is configured to ff02::05 with the direction configured
as outbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf3
ospf3
ospf3
ospf3
ospf3
ospf3
admin enable
raddr ff02::05
laddr fe80:0:0:0:b2ad:aaff:fe43:100
protocol ospfv3
action permit
Laddr is configured to the remote link local and raddr is configured to ff02::05 with the direction
configured as inbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf4
ospf4
ospf4
ospf4
ospf4
ospf4
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
laddr ff02::05
protocol ospfv3
action permit
Laddr is configured to the link local and raddr is configured to ff02::06 with the direction as
outbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf5
ospf5
ospf5
ospf5
ospf5
ospf5
admin enable
raddr ff02::06
fe80:0:0:0:b2ad:aaff:fe43:100
protocol ospfv3
action permit
Laddr is configured to the remote link local and raddr is configured to ff02::06 with the direction
configured as inbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf6
ospf6
ospf6
ospf6
ospf6
ospf6
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:4d00
laddr ff02::06
protocol ospfv3
action permit
Switch 10 link table configuration
The following example displays the linking of the policy with the security association on Switch 10.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
December 2017
ospf1
ospf2
ospf3
ospf4
ospf5
ospf6
security-association
security-association
security-association
security-association
security-association
security-association
ospf1
ospf2
ospf3
ospf4
ospf5
ospf6
Configuring Security on VOSS
274
IPsec configuration examples
Switch 10 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 10.
router ospf ipv6-enable
router ospf
ipv6 router-id 1.1.1.1
ipv6 area 0.0.0.1
Switch 10 interface configuration
The following example displays the interface configuration on slot/port 1/10.
interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::1/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable
Switch 10 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::1/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable
Switch 30 security associations
The following example displays the configuration of security associations for OSPFv3 for Switch
30.
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf2
ipsec security-association ospf2 encap-proto ESP
ipsec security-association ospf2 mode transport
December 2017
Configuring Security on VOSS
275
IPsec
ipsec security-association ospf2
ipsec security-association ospf2
12345678901234567890123456789012
ipsec security-association ospf2
12345678901234567890123456789012
ipsec security-association ospf2
ipsec security-association ospf2
ipsec security-association ospf2
spi 2
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf3
ipsec security-association ospf3
ipsec security-association ospf3
ipsec security-association ospf3
ipsec security-association ospf3
12345678901234567890123456789012
ipsec security-association ospf3
12345678901234567890123456789012
ipsec security-association ospf3
ipsec security-association ospf3
ipsec security-association ospf3
encap-proto ESP
mode transport
spi 3
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
12345678901234567890123456789012
ipsec security-association ospf4
12345678901234567890123456789012
ipsec security-association ospf4
ipsec security-association ospf4
ipsec security-association ospf4
encap-proto ESP
mode transport
spi 4
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
encap-proto ESP
mode transport
spi 5
key-mode manual
lifetime seconds 1
lifetime bytes 1
security-association
security-association
security-association
security-association
security-association
security-association
security-association
ospf5
ospf5
ospf5
ospf5
ospf5
ospf5
ospf5
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
12345678901234567890123456789012
ipsec security-association ospf6
12345678901234567890123456789012
ipsec security-association ospf6
ipsec security-association ospf6
ipsec security-association ospf6
encap-proto ESP
mode transport
spi 6
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
Switch 30 policy configuration
In the example, the local addrress is fe80:0:0:0:b2ad:aaff:fe43:4d00, and the remote addrress is
fe80:0:0:0:b2ad:aaff:fe43:100. The policy has the laddr confiugred to the link local address and the
raddr is configured to the remote link local address with the direction configured to outbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
December 2017
ospf1
ospf1
ospf1
ospf1
ospf1
ospf1
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:100
laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
protocol ospv3
action permit
Configuring Security on VOSS
276
IPsec configuration examples
Laddr is configured to the remote link local address and raddr is configured to the local link local
address with the direction configured to inbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf2
ospf2
ospf2
ospf2
ospf2
ospf2
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:100
laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
protocol ospfv3
action permit
Laddr is configured to the link local address and raddr is configured to ff02::05 with the direction
configured to outbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf3
ospf3
ospf3
ospf3
ospf3
ospf3
admin enable
raddr ff02::05
laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
protocol ospfv3
action permit
Laddr is configured to the remote link local address and the raddr is configured to ff02::05 with the
direction configured to inbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf4
ospf4
ospf4
ospf4
ospf4
ospf4
admin enable
raddr fe80:0:0:0:b2ad:aaff:fe43:100
laddr ff02::05
protocol ospfv3
action permit
Laddr is configured to the link local address and raddr is configured to ff02::06 with the direction
configured to outbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf5
ospf5
ospf5
ospf5
ospf5
ospf5
admin enable
raddr ff02::06
laddr fe80:0:0:0:b2ad:aaff:fe43:4d00
protocol ospfv3
action permit
Laddr is configured to the remote link local address and raddr is configured to ff02::06 with the
direction configured to inbound.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
ospf6
ospf6 admin enable
ospf6 raddr fe80:0:0:0:b2ad:aaff:fe43:100
ospf6 laddr ff02::06
ospf6 protocol ospfv3
ospf6 action permit
Switch 30 link table configuration
The following example displays the linking of the policy with the security association on Switch 30.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
December 2017
ospf1
ospf2
ospf3
ospf4
ospf5
ospf6
security-association
security-association
security-association
security-association
security-association
security-association
ospf1
ospf2
ospf4
ospf3
ospf5
ospf6
Configuring Security on VOSS
277
IPsec
Switch 30 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 30.
router ospf ipv6-enable
router ospf
ipv6 router-id 2.2.2.2
ipv6 area 0.0.0.1
Switch 30 interface configuration
The following example displays the interface configuration on slot/port 1/10.
interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2001::2/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable
Switch 30 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.
interface gigabitEthernet 1/10
no shut
exit
minvlan create 3 type port-mstprstp 0
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2001::2/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
ipv6 ipsec policy ospf1 dir out
ipv6 ipsec policy ospf2 dir in
ipv6 ipsec policy ospf3 dir out
ipv6 ipsec policy ospf4 dir in
ipv6 ipsec policy ospf5 dir out
ipv6 ipsec policy ospf6 dir in
ipv6 ipsec enable
OSPFv3 virtual link IPsec configuration example
The following example displays a network using IPsec with OSPFv3 virtual link.
December 2017
Configuring Security on VOSS
278
IPsec configuration examples
Figure 23: OSPFv3 virtual link with IPsec configuration
The following example displays the configuration of IPsec with OSPFv3 virtual link. For OSPFv3
conceptual and procedural information, see Configuring IPv6 Routing.
Switch 10 security association configuration
The following example displays the configuration of security associations for OSPFv3 for Switch
10.
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
encap-proto ESP
mode transport
spi 1
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
Switch 10 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 10.
router ospf ipv6-enable
ipv6 forwarding
router ospf
ipv6 router-id 1.1.1.1
ipv6 area 0.0.0.1
ipv6 as-boundary-router
ipv6 area 0.0.0.0
Switch 10 virtual link and policy configuration
The following example displays the configuration of a OSPFv3 virtual link.
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
area
area
area
area
area
area
December 2017
virtual-link
virtual-link
virtual-link
virtual-link
virtual-link
virtual-link
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
3.3.3.3
3.3.3.3
3.3.3.3
3.3.3.3
3.3.3.3
3.3.3.3
ipsec
ipsec security-association
ipsec action permit
ipsec direction both
ipsec enable
Configuring Security on VOSS
ospf1
279
IPsec
Switch 10 interface configuration
The following example displays the interface configuration on slot/port 1/10.
interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::1/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
Switch 10 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 port-member
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::1/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
Switch 20 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 20.
router ospf ipv6-enable
ipv6 forwarding
router ospf
ipv6 router-id 2.2.2.2
ipv6 area 0.0.0.1
Switch 20 interface configuration
The following example displays the interface configuration on slot/port 1/10 and 1/20.
interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::2/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
interface gigabitEthernet 1/20
no shut
ipv6 interface vlan 4
ipv6 interface address 2001::1/64
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
Switch 20 VLAN configuration
The following example displays the creation of VLAN 3 and the configuration of IPsec on VLAN 3
and VLAN 4.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 0
December 2017
Configuring Security on VOSS
280
IPsec configuration examples
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::2/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
interface gigabitEthernet 1/20
no shut
exit
vlan create 4 type port-mstprstp 0
vlan members add 4 1/20 portmember
interface vlan 4
ipv6 interface enable
ipv6 interface address 2001::1/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
Switch 40 security association configuration
The following example displays the configuration of security associations for OSPFv3 for Switch
40.
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
12345678901234567890123456789012
ipsec security-association ospf1
ipsec security-association ospf1
ipsec security-association ospf1
encap-proto ESP
mode transport
spi 1
auth-algo MD5 auth-key
keyLength 32
Encrpt-algo AES-CTR EncrptKey
keyLength 32
key-mode manual
lifetime seconds 1
lifetime bytes 1
Switch 40 OSPFv3 configuration
The following example displays the OSPFv3 configuration on Switch 40.
router ospf ipv6-enable
ipv6 forwarding
router ospf
ipv6 router-id 3.3.3.3
ipv6 area 0.0.0.1
ipv6 area 0.0.0.2
ipv6 as-boundary-router
Switch 40 OSPFv3 virtual link and policy configuration
The following example displays the configuration of a OSPFv3 virtual link.
ipv6
ipv6
ipv6
ipv6
ipv6
ipv6
area
area
area
area
area
area
virtual-link
virtual-link
virtual-link
virtual-link
virtual-link
virtual-link
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
0.0.0.1
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1
ipsec
ipsec
ipsec
ipsec
ipsec
security-association
action permit
direction both
enable
ospf1
Switch 40 interface configuration
The following example displays the interface configuration on slot/port 1/20.
interface gigabitEthernet 1/20
no shut
ipv6 interface vlan 4
ipv6 interface address 2001::2/64
December 2017
Configuring Security on VOSS
281
IPsec
ipv6 interface enable
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
Switch 40 VLAN interface configuration
The following example displays the creation of VLAN 4 and the configuration of IPsec on VLAN 4.
interface gigabitEthernet 1/20
no shut
exit
vlan create 4 type port-mstprstp 0
vlan members add 4 1/20
interface vlan 4
ipv6 interface enable
ipv6 interface address 2001::2/64
ipv6 ospf area 0.0.0.1
ipv6 ospf enable
IPsec configuration of TCP
The following example displays the configuration of IPsec for TCP.
Switch 10 IPsec security association configuration
The following example displays the configuration of the IPsec security association for TCP for
Switch 10.
ipsec security-association tcp1
ipsec security-association tcp1 encap-proto ESP
ipsec security-association tcp1 mode transport
ipsec security-association tcp1 spi 100
ipsec security-association tcp1 auth-algo MD5 auth-key 12345678901234567890123456789012
keyLength 32
ipsec security-association tcp1 Encrpt-algo AES-CTR EncrptKey
12345678901234567890123456789012 keyLength 32
ipsec security-association tcp1 key-mode manual
ipsec security-association tcp1 lifetime seconds 1
ipsec security-association tcp1 lifetime bytes 1
December 2017
Configuring Security on VOSS
282
IPsec configuration examples
Switch 10 IPsec policy configuration
The following example displays the configuration of the IPsec policy for TCP for Switch 10.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
tcp1
tcp1
tcp1
tcp1
tcp1
tcp1
admin
raddr
raddr
raddr
raddr
enable
2000::2
2000::2 laddr 2000::1
2000::2 protocol tcp sport 23 dport 23
2000::2 action permit
Switch 10 linking the IPsec policy with the IPsec security association
The following example displays the linking of the IPsec policy with the IPsec security association
ipsec policy tcp1 security-association tcp1
Switch 10 interface configuration
The following examples displays the configuration of IPsec for slot/port 1/10.
interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::1/64
ipv6 interface enable
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable
Switch 10 VLAN configuration
The following example displays the creation and configuration of VLAN 3.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::1/64
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable
Switch 30 IPsec security association configuration
The following example displays the configuration of the IPsec security association for TCP for
Switch 10.
ipsec security-association tcp1
ipsec security-association tcp1 encap-proto ESP
ipsec security-association tcp1 mode transport
ipsec security-association tcp1 spi 100
ipsec security-association tcp1 auth-algo MD5 auth-key 12345678901234567890123456789012
keyLength 32
ipsec security-association tcp1 Encrpt-algo AES-CTR EncrptKey
12345678901234567890123456789012 keyLength 32
ipsec security-association tcp1 key-mode manual
ipsec security-association tcp1 lifetime seconds 1
ipsec security-association tcp1 lifetime bytes 1
December 2017
Configuring Security on VOSS
283
IPsec
Switch 30 IPsec policy configuration
The following example displays the configuration of the IPsec policy for TCP for Switch 10.
ipsec
ipsec
ipsec
ipsec
ipsec
ipsec
policy
policy
policy
policy
policy
policy
tcp1
tcp1
tcp1
tcp1
tcp1
tcp1
admin
raddr
raddr
raddr
raddr
enable
2000::1
2000::1 laddr 2000::2
2000::1 protocol tcp sport 23 dport 23
2000::1 action permit
Switch 30 linking the IPsec policy with the IPsec security association
The following example displays the linking of the IPsec policy with the IPsec security association
ipsec policy tcp1 security-association tcp1
Switch 30 interface configuration
The following examples displays the configuration of IPsec for slot/port 1/10.
interface gigabitEthernet 1/10
no shut
ipv6 interface vlan 3
ipv6 interface address 2000::2/64
ipv6 interface enable
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable
Switch 30 VLAN configuration
The following example displays the creation and configuration of VLAN 3.
interface gigabitEthernet 1/10
no shut
exit
vlan create 3 type port-mstprstp 3
vlan members add 3 1/10 portmember
interface vlan 3
ipv6 interface enable
ipv6 interface address 2000::2/64
ipv6 ipsec policy tcp1 dir both
ipv6 ipsec enable
December 2017
Configuring Security on VOSS
284
Chapter 7: MACsec
The following sections describe Media Access Control Security (MACsec) and its configuration.
Note:
This feature is not supported on all hardware platforms. If you do not see commands for this
feature in the command list or EDM, the feature is not supported on your hardware. For more
information about feature support, see Release Notes.
MACsec fundamentals
MAC Security (MACsec) is based on the IEEE 802.1ae standard that allows authorized systems in
a network to transmit data confidentially and to protect against data transmitted or modified by
unauthorized devices.
You can use MACsec for core and enterprise edge switches to secure site-to-site connectivity
between data centers, provide data security on links that run over public ground, or outside the
physically secure boundaries of a site. You can use MACsec on access switches to secure host to
switch connectivity, and host to switch connectivity in an environment where both trusted and
untrusted hosts co-exist.
In addition to host level authentication, MACsec capable LANs provide data origin authentication,
data confidentiality, and data integrity between authenticated hosts or systems. MACsec protects
data from external hacking while the data passes through the public network to reach a receiver
host.
MACsec enabled hosts encrypt and decrypt every frame exchanged between them using a
MACsec key. The source MACsec host encrypts data frames and destination MACsec host
decrypts the frames, ensuring delivery of the frame in its original condition to the recipient host.
This ensures secure data communication.
You can configure MACsec encryption over any type of point-to-point Ethernet or emulated
Ethernet connection, which includes:
• Dark fiber
• Conventional wavelength-division multiplexing/dense wavelength-division multiplexing
(CWDM/DWDM) service
• Multiprotocol label switching (MPLS) point-to-point (ELINE)
December 2017
Configuring Security on VOSS
285
MACsec
• Provider Backbone Bridge Traffic Engineering (PBB-TE)
You can configure MACsec on a physical port or on a trunk group level, which includes: Split
MultiLink Trunking (SMLT), distributed MultiLink Trunking (DMLT), or Link aggregate group (LAG).
You configure a pre-shared key on either end of the MACsec link. The pre-shared key is an
interface parameter, not a switch-wide parameter.
Note:
MACsec encrypts all packets. If you configure MACsec on one or more MultiLink Trunking
(MLT) port members on one side, you must configure MACsec on the same port members on
the other side. If you do not do this, the port can physically be up, but any overlying protocols
can be down. You do not have to provision MACsec on all MLT port members, but if you
configure MACsec on an MLT port member on one side, you must also provision MACsec on
the corresponding MLT port on the other side.
One way to detect a mismatch of MACsec configuration is to use Virtual Link Aggregation
Control Protocol (VLACP) on the links.
MACsec provides security at the data link layer or the physical layer. It provides enhancements at
the MAC service sub layer for its operation and services to the upper layer.
MACsec is an interface level feature and is disabled by default.
MACsec keys
MACsec provides industry-standard security through secure point-to-point Ethernet links. The
point-to-point links are secured after matching security keys.
Security keys are of two types:
• connectivity association key (CAK), which is a configured pre-shared key. If you enable
MACsec using the static connectivity association key (CAK) security mode.
Important:
The switch supports the configuration of a pre-shared key to enable MACsec using the
static connectivity association key (CAK) security mode.
The CAK must be identical across both ends of MACsec links.
• secure association key (SAK), which is a configured static secure association key. If you use
the static secure association key (SAK) security mode. SAKs are short-lived keys derived
from the CAK or pre-configured for a particular secure channel (SC). MACsec uses a timer to
refresh these keys so that the key, as well the session, is secure.
MACsec uses derived keys to encrypt or decrypt data at each end of the MACsec links.
Integrity Check Verification (ICV)
MACsec ensures data integrity using Integrity Check Verification (ICV). MACsec introduces an 8
or 16 byte SecTag after the Ethernet header, and an 8 or 16 byte calculated ICV after the
December 2017
Configuring Security on VOSS
286
MACsec fundamentals
Encrypted Payload. MACsec computes the ICV for the entire frame, starting from the Ethernet
header, SecTag until the Checksum. The receiving side recalculates the ICV after data decryption
and verifies if the received ICV and computed ICV match. If the ICVs do not match, it indicates
that data is modified, and MACsec drops the frame.
MACsec security modes
The static Connectivity Association Key (CAK) security mode is the only supported MACsec
security mode on the platform, and is also the most common mode to enable MACsec.
When you use the static connectivity association key (CAK) security mode to enable MACsec, you
configure a community association on both ends of the link. A pre-shared key establishes the
MACsec relationship between the switches on each end of the Ethernet link. The two pre-shared
security association keys (SAKs) include a connectivity association key name (CKN) and its own
connectivity association key (CAK). The MACsec CKN and CAK are configured in a connectivity
association and the CAK must match on both ends of the link to initially enable MACsec.
To ensure link security, the system periodically refreshes keys based on traffic volume and link
speed.
To enable MACsec at the port level, you must first associate the port to the connectivity
association. You complete the configuration within the connectivity association, but outside of the
secure channel.
When you use the static CAK security mode, the system automatically creates two secure
channels, one for inbound traffic and another for outbound traffic. You cannot configure any
parameters in the automatically-created secure channels.
The CAK security mode ensures security by frequently refreshing to a new random security key,
and by only sharing the security key between the two devices on the MACsec-secured point-topoint link.
MACsec provides options to encrypt user payload, or send in a clear confidential offset, to start
the encryption from selectable bytes of 0, 30, and 50 after the SecTag header.
You can choose to configure the following optional features:
• Data encryption — If you disable encryption, MACsec forwards traffic in clear text. You can
view that data that is not encrypted in the Ethernet frame that travels across the link. Even if
you disable encryption the MACsec header applies to the frame and integrity checks make
sure that traffic has not been tampered with.
• Confidentiality offset — If encryption is enabled, and an offset is not configured, all traffic in
the connectivity is encrypted. The confidentiality offset provides a way to start encryption
after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow
inspection and classification on intermediate devices by not encrypting the Network Layer
header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and
the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header
and the TCP/UDP header is not encrypted.
December 2017
Configuring Security on VOSS
287
MACsec
Connectivity associations and secure channels
You configure MACsec in connectivity associations (CA). You can enable MACsec after you attach
a connectivity association to an interface. To use the static CAK security mode to enable MACsec,
you must create, and configure connectivity associations on both ends of the link.
A connectivity association (CA) is a logical representation of a MACsec domain within a network.
Each connectivity association is associated with a connectivity association key (CAK). MACsec
links are associated with a CA to establish end-to-end MACsec communication. Every MACsec
enabled interface is a member of one connectivity association. Switch ports are members of a
connectivity association, and can only be a member of one connectivity association.
A secure channel (SC) is a unidirectional channel that connects two endpoints of MACsec. A
secure channel is a long-term relationship that persists through the sequence of secure
associations.
A secure association (SA) is a short-lived relationship within an SC. MACsec identifies each
security association by AN, and supported Secure association key (SAK), which is derived from
the CAK. The secure association key is used on both ends of MACsec links to encrypt and decrypt
the frames. SAKs are frequently refreshed for security reasons. Periodically changing SAs allows
the use of fresh keys without terminating the SC relationship.
You configure connectivity associations. Secure channels and secure associations are internally
created in the hardware.
MACsec 2AN and 4AN mode
MACsec 2AN mode implementations use two security associations (SA) for each secure channel
(SC) and symmetric keys on both MACsec endpoints. The keys are symmetric because they are
both derived from the same connectivity association key (CAK).
MACsec 4AN mode generates four Secure Associations Keys (SAK) per secure channel. It uses
enhanced hashing algorithm to derive eight SAKs, and uses asymmetric keys on both ends. You
can use the macsec connectivity-association command to configure different
(asymmetric) transmit keys for each endpoint by using the key-parity keyword. If you do not
specify a value for key-parity, the connectivity association is created in 2AN mode. For more
information about configuring MACsec transmit keys, see Configuring a connectivity
association on page 292.
MACsec components
MACsec has three major components:
• Security entity (SecY)
December 2017
Configuring Security on VOSS
288
MACsec fundamentals
SecY is the entity that operates the MACsec protocol within the system. You configure a
secure community association (CA) to meet the requirements of MACsec for connectivity
between stations that attach to an individual LAN. Unidirectional secure channels (SC)
support each CA. Each SC supports secure transmission of frames through the use of
symmetric key cryptography from one of the systems to all the others in the CA.
Each SecY transmits frames conveying secure MACsec service requests on a single SC, and
receives frames conveying secure service indications on separate SCs, one for each of the
other SecYs that participate in the secure CA.
A connectivity association (CA) is a logical representation of a MACsec domain within a
network. Each connectivity association is associated with a connectivity association key
(CAK). MACsec links are associated with a CA to establish end-to-end MACsec
communication. Every MACsec enabled interface is a member of one connectivity
association. Switch ports are members of a connectivity association, and can only be a
member of one connectivity association.
A secure channel (SC) is a unidirectional channel that connects two endpoints of MACsec. A
secure channel is a long-term relationship that persists through the sequence of secure
associations. An SC is a unidirectional point to multipoint communication, and can persist
through Secure Association Key (SAK) changes. A sequence of Secure Associations (SAs)
support each SC and allow for the periodic use of fresh keys without terminating the
relationship. A single secret key or a set of keys support each SA, where the cryptographic
operations used to protect one frame require more than one key. An SCI identifies each SC.
An SCI is comprised of a unique 48-bit universally administered MAC address, identifying the
system to which the transmitting SecY belongs, concatenated with a 16-bit port number,
identifying the SecY within that system.
The SCI concatenated with a two-bit AN identifies each SA. The Secure Association Identifier
(SAI) created allows the receiving SecY to identify the SA, and the SAK used to decrypt and
authenticate the received frame. The AN, and hence the SAI, are only unique for the SAs that
can be used or recorded by participating SecYs at any instant.
December 2017
Configuring Security on VOSS
289
MACsec
Figure 24: MACsec relationship
• Key agreement entity (KaY)
The KaY in MACsec is responsible for CAK and SAK computations, distributions and
maintenance of those keys. CAK is a global key which is persistent until the CA exists. When
you configure the CAK, ensure that it is identical across MACsec links. SAK are short-lived
keys derived from the CAK, or pre-configured for a particular SC. MACsec uses a timer to
refresh these keys so that the key, as well the session, is secure.
A separate 802.1x-2010 standard is available to automate the above key exchanges and
maintenance. The keys are pre-configured.
• Integrity check verification (ICV) or Cryptographic entity
The Cryptographic entity provides integrity check protection and validation for frames
transmitted or received through the SecY layer. The ICV is calculated for the frame SA/DA,
SecTag, User Payload, and CRC. The calculated ICV is appended at the end-of-frame,
recalculated at the receiver side of MACsec link and validated to see if they are equal. This is
called Integrity Check Verification (ICV). The frames that pass the integrity check are further
processed, while the system drops the frames that fail the integrity check.
MACsec configuration provides options to encrypt user payload or send in the clear. The
option to start the encryption from N bytes after the Ethernet header also exists.
In the following figure, CA connects switches A, B, and C by their respective SC and SAK.
Station D cannot participate in the secure communication between A, B, or C as station D
does not know the SAK.
December 2017
Configuring Security on VOSS
290
MACsec fundamentals
MACsec operation
As shown in the following figure, a host that connects to Switch A sends an Ethernet frame to a
host that connects to Switch B. Switch A encrypts the frame, excluding the Ethernet header and
optionally the 802.1Q header. Switch A also appends MACsec information like SecTag and ICV to
the encrypted payload and transmits the frame using normal frame transmission. This process
ensures data confidentiality.
On receiving the frame, Switch B decrypts the frame. Switch B recalculates the ICV using a
MACsec key and the SecTag present in the frame. If the ICV present in the received frame
matches the recalculated ICV, the switch processes the frame. If the two ICVs do not match, the
switch discards the frame. This process ensures data origin authenticity and data integrity. The
encryption and decryption algorithms follow the AES-GCM-128 standard.
The MACsec key between switches A and B are statically pre-configured.
Note:
MACsec will be operational between two switches across Point-to-Point Connectivity only
when the switches are either directly connected or across a network cloud that provides P2P
connectivity between the two switches.
December 2017
Configuring Security on VOSS
291
MACsec
For example, in the following figure you can enable MACsec between two switches across a
network cloud where P2P connectivity between the switches is provided via services such as
P2P, MPLS, Layer 2 VPN (ELINE), or connectivity across Dark Fiber. However, it is important
to note that MACsec will not be operational between two switches across a network cloud if
the intermediate routers/switches need to inspect the VLAN tag or IP header for service
classification. This is because MACsec encrypts the entire data frame including the VLAN
header and as such the intermediate switches/routers will not have visibility into the same to
perform service classification.
Figure 25: MACsec operation
MACsec performance
To monitor MACsec performance, view the performance statistics. For information on the
supported statistics, see Monitoring Performance.
MACsec configuration using CLI
Configuring a connectivity association
Use the following procedure to configure a connectivity association (CA) in static CAK security
mode using the CLI.
Procedure
1. Enter Global Configuration mode:
enable
December 2017
Configuring Security on VOSS
292
MACsec configuration using CLI
configure terminal
2. Configure a CA:
macsec connectivity-association WORD<5–15> connectivityassociation-key WORD<10–32> [key-parity even|odd]
Note:
If you do not specify a key-parity value, the CA is created in 2AN mode.
3. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
4. Associate a port with a CA:
macsec connectivity-association WORD<5–15>
5. Enable encryption on the port.
macsec encryption enable
6. Enable MACsec on the port:
macsec enable
Example
Configure a connectivity association and enable MACsec on a port:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#macsec connectivity-association caname1 connectivity-association-key
1029384756abcdef key-parity even
Switch:1(config)#interface gigabitethernet 1/2
Switch:1(config-if)#macsec connectivity-association caname1
Switch:1(config-if)#macsec encryption enable
Switch:1(config-if)#macsec enable
Variable definitions
Use the data in the following table to use the macsec command.
Variable
Value
connectivity-association WORD<5–15>
Specifies a connectivity-association name. It is a 5
to 15 character alphanumeric string.
Table continues…
December 2017
Configuring Security on VOSS
293
MACsec
Variable
Value
connectivity-association-key WORD<10–32>
Specifies the value of the connectivity-association
key (CAK). A 32 character hexadecimal string is
recommended.
key-parity even|odd
Specifies Tx key parity using the following values:
• even — generates even-numbered keys for Tx
• odd — generates odd-numbered keys for Tx
Note:
If you do not specify a key-parity value, the
connectivity association (CA) is created in 2AN
mode.
Use the data in the following table to use the interface gigabitethernet command.
Variable
Value
{slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Specifies the port that you want to associate with
the CA.
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
Updating the connectivity association key (CAK)
Use the following procedure to update the connectivity association key (CAK).
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Disable MACsec on the port:
no macsec enable
December 2017
Configuring Security on VOSS
294
MACsec configuration using CLI
3. Update the connectivity association key (CAK):
macsec connectivity-association WORD<5–15> connectivity-association
key WORD<10–32> {key-parity even|odd}
Note:
If you do not specify a key-parity value, the system defaults to 2AN mode.
4. Enable MACsec on the port:
macsec enable
Example
Update the connectivity association key (CAK):
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#no macsec enable
Switch:1(config-if)#macsec connectivity-association caname1 connectivity-associationkey 1029384756abcdef key-parity even
Switch:1(config-if)#macsec enable
Variable definitions
Use the data in the following table to use the macsec command.
Variable
Value
connectivity-association WORD<5–15>
Specifies a connectivity-association name. It is a 5
to 15 character alphanumeric string.
connectivity-association-key WORD<10–32>
Specifies the value of the connectivity-association
key (CAK). A 32 character hexadecimal string is
recommended.
Use the data in the following table to use the interface gigabitethernet command.
Variable
Value
{slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Specifies the port that you want to associate with
the connectivity association (CA).
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
December 2017
Configuring Security on VOSS
295
MACsec
Configuring MACsec encryption on a port
Use the following procedure to enable or disable encryption on a MACsec capable port. The
default is disabled.
About this task
If you disable encryption, MACsec forwards traffic in clear text. You can view that data that is not
encrypted in the Ethernet frame that travels across the link. Even if you disable encryption the
MACsec header applies to the frame and integrity checks make sure that traffic has not been
tampered with.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Enable MACsec encryption on the port:
macsec encryption enable
3. Disable MACsec encryption on the port:
no macsec encryption enable
Example
Configure MACsec encryption on a port:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#macsec encryption enable
Configuring the confidentiality offset on a port
Use the following procedure to configure the confidentiality offset on a port. The default is
disabled.
About this task
The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet
header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate
devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you
December 2017
Configuring Security on VOSS
296
MACsec configuration using CLI
configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you
configure the offset to 50, the IPv6 header and the TCP/UDP header are not encrypted.
Procedure
1. Enter GigabitEthernet Interface Configuration mode:
enable
configure terminal
interface GigabitEthernet {slot/port[/sub-port][-slot/port[/subport]][,...]}
Note:
If your platform supports channelization and the port is channelized, you must also
specify the sub-port in the format slot/port/sub-port.
2. Configure confidentiality offset on the port:
macsec confidentiality-offset <30–50>
3. Disable the confidentiality offset on the port:
no macsec confidentiality-offset
Example
Configuring the confidentiality offset on the port:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#macsec confidentiality-offset 30
Variable definitions
Use the data in the following table to use the macsec confidentiality-offset command.
Variable
Value
<30–50>
Specifies the bytes after the Ethernet header from
which data encryption begins. Valid values are 30
and 50.
Use the data in the following table to use the interface gigabitethernet command.
Variable
Value
{slot/port[/sub-port][-slot/port[/sub-port]][,...]}
Specifies the port that you want to associate with
the connectivity association (CA).
Identifies the slot and port in one of the following
formats: a single slot and port (slot/port), a range of
slots and ports (slot/port-slot/port), or a series of
slots and ports (slot/port,slot/port,slot/port). If your
platform supports channelization and the port is
December 2017
Configuring Security on VOSS
297
MACsec
Variable
Value
channelized, you must also specify the sub-port in
the format slot/port/sub-port.
Viewing the MACsec connectivity association details
Perform this procedure to view the MACsec connectivity association (CA) details.
Procedure
1. Enter Privileged EXEC mode:
enable
2. View the MACsec CA details:
show macsec connectivity-association [WORD<5–15>]
Note:
This command displays the MACsec CA details, including the MD5 hashed value of
the CA key.
Example
View the MACsec connectivity association details:
Note:
Slot and port information can differ depending on hardware platform. For more information
about specific hardware, see your hardware documentation.
Switch:1>show macsec connectivity-association
========================================================================================
==
MACSEC Connectivity Associations Info
========================================================================================
==
Connectivity
Connectivity
AN_Mode /
Port
Association Name
Association Key Hash
TxKeyParity
Members
----------------------------------------------------------------------------------------ca150
ba6b005bef79e7b95f3e08181e2501ce
2AN / NA
1/49
ca151
5b41f44ecaa54f3873e781557b39230b
4AN / odd
ca152
053f26fb96b011191f2da28849f08677
4AN / Even
1/50
Switch:1#show macsec statistics 1/50 secure-channel inbound
========================================================================================
==
MACSEC Port Inbound Secure Channel Statistics
========================================================================================
==
UnusedSA
NoUsingSA
Late
NotValid
Invalid
PortId
Packets
Packets
Packets
Packets
Packets
-----------------------------------------------------------------------------------------
December 2017
Configuring Security on VOSS
298
MACsec configuration using CLI
1/47
0
0
0
0
0
Delayed
Unchecked
Ok
Octets
Octets
PortId
Packets
Packets
Pkts
Validated
Decrypted
----------------------------------------------------------------------------------------1/47
0
0
1796
0
169282
Switch:1#show macsec statistics 1/50 secure-channel outbound
========================================================================================
============
MACSEC Port Outbound Secure Channel Statistics
========================================================================================
============
Protected
Encrypted
Octets
Octets
PortId
Packets
Packets
Protected
Encrypted
--------------------------------------------------------------------------------------------------1/47
0
2628
0
277182
Viewing MACsec status
Perform this procedure to view MACsec status.
About this task
This command displays the status for the following:
• MACsec status
• MACsec encryption status
• The associated Connectivity Association (CA) name
Note:
If you do not specify a port number, the information on all MACsec capable interfaces is
displayed.
Procedure
1. Enter Privileged EXEC mode:
enable
2. View the MACsec status:
show macsec status {slot/port[/sub-port][-slot/port[/sub-port]]
[,...]}
3. Display all MACsec related information:
show macsec
Example
View the MACsec status:
December 2017
Configuring Security on VOSS
299
MACsec
Note:
Slot and port information can differ depending on hardware platform. For more information
about specific hardware, see your hardware documentation.
The switch does not support replay protect.
Switch:1>enable
Switch:1#show macsec status
===========================================================================
MACSEC Port Status
===========================================================================
MACSEC
Encryption Replay
Replay
Encryption
CA
PortId Status
Status
Protect
Protect W'dow
Offset
Name
--------------------------------------------------------------------------1/39
enabled
enabled
disabled
-ipv4Offset(30) ca333
1/40
disabled
disabled
disabled
-none
Nil
Switch:1#show macsec status 1/40
===========================================================================
MACSEC Port Status
===========================================================================
MACSEC
Encryption Replay
Replay
Encryption
CA
PortId Status
Status
Protect
Protect W'dow
Offset
Name
--------------------------------------------------------------------------1/40
enabled
enabled
disabled
-ipv4Offset(30) ca333
Display all MACsec information:
Switch:1#show macsec
========================================================================================
============
MACSEC Connectivity Associations Info
========================================================================================
============
Connectivity
Connectivity
AN_Mode /
Port
Association Name
Association Key Hash
TxKeyParity
Members
--------------------------------------------------------------------------------------------------caname1
d4433e901bae92d0cc472706f66cfc18
4AN / odd
All 1 out of 1 Total Num of Macsec connectivity associates displayed
========================================================================================
============
MACSEC Port Status
========================================================================================
============
MACSEC
Encryption Replay
Replay
Encryption
CA
PortId
Status
Status
Protect
Protect W'dow
Offset
Name
--------------------------------------------------------------------------------------------------1/1
disabled
disabled
disabled
-none
Nil
1/2
disabled
disabled
disabled
-none
Nil
1/3
disabled
disabled
disabled
-none
Nil
1/4
disabled
disabled
disabled
-none
Nil
1/5
disabled
disabled
disabled
-none
Nil
1/6
disabled
disabled
disabled
-none
Nil
1/7
disabled
disabled
disabled
-none
Nil
December 2017
Configuring Security on VOSS
300
MACsec configuration using EDM
1/8
1/9
1/10
1/11
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
-----
none
none
none
none
Nil
Nil
Nil
Nil
--More-- (q = quit)
MACsec configuration using EDM
Configuring connectivity associations
Use the following procedure to configure connectivity associations (CA) using EDM.
Procedure
1. In the navigation tree, expand the following folders: Configuration > Edit.
2. Click Chassis.
3. Click the Macsec tab.
4. Click Insert.
a. In the AssociationName field, type the connectivity-association name.
b. In the AssociationKey field, type the value of the connectivity-association key.
Note:
The connectivity-association key appears as an MD5-hashed text in the MAC
security table.
c. In the AssociationTxKeyParity box, select an option for Tx key parity.
d. Click Insert to save the configuration.
5. Click Apply.
Macsec field descriptions
Use the data in the following table to use the Macsec tab.
Name
Description
AssociationName
Specifies a name for each connectivity association
configured on the device.
AssociationKey
Specifies a pre-shared, connectivity association key
associated with each connectivity association
configured on the device.
Table continues…
December 2017
Configuring Security on VOSS
301
MACsec
Name
Description
AssociationPortMembers
Specifies the set of ports for which this connectivity
association is associated.
AssociationTxKeyParity
Specifies Tx key parity using the following values:
• None — key parity is not specified
Note:
The none value only applies to platforms that
support 2AN mode. If you do not specify a
key parity value, the system defaults to 2AN
mode. For information about feature support,
see Release Notes.
• Even — generates even-numbered keys
• Odd — generates odd-numbered keys
Associating a port with a connectivity association
Use the following procedure to associate a port with a connectivity association (CA) using EDM.
For VSP 4000, you can associate connectivity associations to device ports 1/49 and 1/50 only.
Procedure
1. In the Device Physical View, click on the port that you want to associate with the
connectivity association.
2. In the navigation tree, expand the following folders: Configuration > Edit > Port.
3. Click General.
4. Click the Macsec tab.
5. In the CAName field, type the connectivity-association name.
6. In the OffsetValue field, select the value of confidentiality offset to be achieved.
7. Select the EncryptionEnable checkbox to enable encryption for the frames transmitted on
the port.
8. Select the Macsec Enable checkbox to enable MACsec on the port.
9. Click Apply to save the configuration.
Macsec field descriptions
Use the data in the following table to configure the Macsec tab.
December 2017
Configuring Security on VOSS
302
MACsec configuration using EDM
Name
Description
CAName
Specifies the name of the connectivity association
attached to the port or interface.
OffsetValue
Offsets MACsec encryption in an IPv4 TCP/UDP
header or IPv6 TCP/UDP header.
The confidentiality offset provides a way to start
encryption after a few bytes following the Ethernet
header. The confidentiality offset facilitates traffic
flow inspection and classification on intermediate
devices by not encrypting the Network Layer header
for IPv4 or IPv6. For instance, if you configure the
offset to 30, the IPv4 header and the TCP/UDP
header are not encrypted. If you configure the offset
to 50, the IPv6 header and the TCP/UDP header is
not encrypted.
EncryptionEnable
Specifies the encryption status per port.
Use this field to enable or disable encryption for
each MACsec capable port.
Macsec Enable
December 2017
Enables or disables MACsec on the port.
Configuring Security on VOSS
303
Chapter 8: RADIUS
The following sections describe Remote Access Dial-In User Services (RADIUS) and its
configuration.
RADIUS fundamentals
Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists
in securing networks against unauthorized access, allowing a number of communication servers
and clients to authenticate users identity through a central database. The database within the
RADIUS server stores information about clients, users, passwords, and access privileges
including the use of shared secret.
RADIUS is a fully open and standard protocol, defined by two Requests for Comments (RFC)
(Authentication: RFC2865, Accounting: RFC2866). You use RADIUS authentication to get secure
access to the system (console/Telnet/SSH/EDM), and RADIUS accounting to track the
management sessions (CLI only).
RADIUS support for IPv6
RADIUS supports both IPv4 and IPv6 with no differences in functionality or configuration in all but
the following case. When you add or update a RADIUS server in Enterprise Device Manager
(EDM) you must specify if the address type is an IPv4 or an IPv6 address.
How RADIUS works
A RADIUS application has two components:
• RADIUS server
A computer equipped with server software (for example, a
UNIX workstation) that is located at a central office or campus.
The server has authentication and access information in a form
that is compatible with the client. Typically, the database in the
RADIUS server stores client information, user information,
password, and access privileges, including the use of a shared
secret. A network can have one server for both authentication
and accounting, or one server for each service.
• RADIUS client
A device, router, or a remote access server, equipped with
client software, that typically resides on the same local area
network (LAN) segment as the server. The client is the network
access point between the remote users and the server.
December 2017
Configuring Security on VOSS
304
RADIUS fundamentals
The two RADIUS processes are
• RADIUS authentication—Identifies remote users before you give them access to a central
network site.
• RADIUS accounting—Performs data collection on the server during a remote user's dial-in
session with the client.
Configuration of the RADIUS server and client
For more information about how to configure a RADIUS server, see the documentation that came
with the server software.
The switch software supports BaySecure Access Control (BSAC) and the Merit Network servers.
To use these servers, you must first obtain the software for the server you will use. Also, you must
make changes to one or more configuration files for these servers.
RADIUS authentication
You can use RADIUS authentication to use a remote server to authenticate logons. The RADIUS
server also provides access authority. RADIUS assists network security and authorization by
managing a database of users. The device uses this database to verify user names and
passwords as well as information about the type of access priority available to the user.
When the RADIUS client sends an authentication request requesting additional information such
as a SecurID number, it sends it as a challenge-response. Along with the challenge-response, it
sends a reply-message attribute. The reply-message is a text string, such as Please enter
the next number on your SecurID card:. The RFC defined maximum length of each
reply-message attribute is 253 characters. If you have multiple instances of reply-message
attributes that together form a large message that displays to the user, the maximum length is
2000 characters.
You can use additional user names to access the device, in addition to the six existing user names
of ro, L1, L2, L3, rw, and rwa. The RADIUS server authenticates the user name and assigns one
of the existing access priorities to that name. Unauthenticated user names are denied access to
the device. You must add user names ro, L1, L2, L3, rw, and rwa to the RADIUS server if you
enable authentication. Users not added to the server are denied access.
The following list shows the user configurable options of the RADIUS feature:
• Up to 10 RADIUS servers in each device for fault tolerance (each server is assigned a priority
and is contacted in that order).
• A secret key for each server to authenticate the RADIUS client
• The server UDP port
• Maximum retries allowed
• Time-out period for each attempt
Note:
If you enable enhanced secure mode with the boot config flags enhancedsecuremode command, you enable different access levels, along with stronger password complexity,
length, and minimum change intervals. With enhanced secure mode enabled, the switch
supports the following access levels for RADIUS authentication:
• Administrator
December 2017
Configuring Security on VOSS
305
RADIUS
• Privilege
• Operator
• Auditor
• Security
The switch associates each username with a certain role and appropriate authorization rights
to view and configure commands. For more information on system access fundamentals and
configuration, see Administering.
Use of RADIUS to modify user access to CLI commands
The switch provides CLI command access based on the configured access level of a user.
However, you can use RADIUS to override CLI command access provided by the switch.
To override user access to CLI commands, you must configure the command-access-attribute on
the switch and on the RADIUS server. (The switch uses decimal value 194 as the default for this
parameter.) On the RADIUS server, you can then define the commands that the user can or
cannot access.
Important:
When you enable RADIUS on the switch and configure a RADIUS server to be used by CLI or
EDM, the server authenticates the connection, whether it is FTP, HTTPs, SSH, or TELNET.
However, in the event that the RADIUS server is unresponsive or is unreachable, the switch
fall backs to the local authentication, so that you can access the switch using your local login
credentials.
Regardless of the RADIUS server configuration, you must configure the user’s access on the
switch based on the six platform access levels.
RADIUS accounting
RADIUS accounting logs all of the activity of each remote user in a session on the centralized
RADIUS accounting server.
Session-IDs for each RADIUS account generate as 12-character strings. The first four characters
in the string form a random number in hexadecimal format. The last eight characters in the string
indicate the number of user sessions started since the last restart, in hexadecimal format.
The Network Address Server (NAS) IP address for a session is the address of the device interface
to which the remote session is connected over the network. For a console session, modem
session, and sessions running on debug ports, this value is set to 0.0.0.0, as is the case with
RADIUS authentication.
The following table summarizes the events and associated accounting information logged at the
RADIUS accounting server.
Table 8: Accounting events and logged information
Event
Accounting information logged at server
Accounting is turned on at router
• Accounting on request: NAS IP address
Accounting is turned off at router
• Accounting off request: NAS IP address
Table continues…
December 2017
Configuring Security on VOSS
306
RADIUS fundamentals
Event
Accounting information logged at server
User logs on
• Accounting start request: NAS IP address
• Session ID
• User name
More than 40 CLI commands are executed
• Accounting interim request: NAS IP address
• Session ID
• CLI commands
• User name
User logs off
• Accounting stop request: NAS IP address
• Session ID
• Session duration
• User name
• Number of input octets for session
• Number of octets output for session
• Number of packets input for session
• Number of packets output for session
• CLI commands
When the device communicates with the RADIUS accounting server, the following actions occur:
1. If the server sends an invalid response, the response is silently discarded and the server
does not make an attempt to resend the request.
2. User-specified number of attempts are made if the server does not respond within the
user-configured timeout interval. If a server does not respond to any of the retries, requests
are sent to the next priority server (if configured). You can configure up to 10 RADIUS
servers for redundancy.
RFC 4675 RADIUS attributes: Egress VLAN
Egress VLAN controls egress traffic. Egress VLAN supports two standard RADIUS attributes as
defined in RFC 4675:
• Egress-VLANID
• Egress-VLAN-Name
RADIUS attributes control the 802.1Q tagging for traffic egressing a port where RADIUS
authentication is performed for a connected EAP or NEAP client.
Egress VLANs are standard attributes, therefore the RADIUS server supports the attributes by
default and offer the ability to configure the attributes. Each attribute has two parts:
1. Indicates if the frames on the VLAN egress must be tagged or untagged
2. Specifies the VLAN name or VLAN ID
The switch applies the VLAN received in the Egress-VLAN attributes to the port where the client is
authenticated through RADIUS and then sets the tagging rules (tagged or untagged) accordingly.
December 2017
Configuring Security on VOSS
307
RADIUS
The switch processes the Egress-VLAN attributes when decoding the RADIUS packet, therefore
the switch adds the port to the VLANs first and then sets the proper tagging for the VLANs. You
can create VLANs in advance on the switch.
In the MultiVlan operation mode, the EAP applies ingress hardware rules to ensure untagged
traffic from each authenticated client goes into its own VLAN. The unauthenticated clients send
traffic to the Guest VLAN which matches the PVID.
RADIUS server reachability
Configure up to 10 EAP RADIUS servers on the switch to manage fault tolerance. Each server is
assigned a priority and is contacted in the priority order. If the first server is unavailable, the switch
tries the second server, and so on, until the switch establishes a successful connection. Higher
priority means lower integer value.
RADIUS server reachability prevents clients from trying to establish a connection with non
reachable servers. RADIUS server reachability runs a periodic check in the background to identify
the available servers. The switch is aware of the first available EAP RADIUS server without going
through each of the servers and wait for time-outs.
Use RADIUS server reachability to configure the switch to use dummy RADIUS requests to
determine the reachability of the RADIUS server. The switch regularly performs the reachability
test to determine if the switch should fail over to the secondary RADIUS server or activate the Fail
Open VLAN, if configured on the switch. The switch regularly generates a dummy RADIUS
request with the username extremenetworks and password extremenetworks. The switch
interprets either Request Accept or Request Reject responses as a confirmation for server
reachability, therefore it is not necessary to add the credentials on the server to test server
reachability. Configure the Username and password for the dummy account through CLI.
Note:
The RADIUS server reachability is enabled on the switch and is not a configurable option.
Based on the number of EAP RADIUS servers configured, the switch performs the following:
• If the highest priority EAP RADIUS server is reachable, the server status is updated to
reachable and further authentication will use this server. As long as the highest priority EAP
RADIUS server is reachable, the rest of the EAP RADIUS servers are not tested for
reachability.
• If the highest priority EAP RADIUS server is not reachable, then the switch tests the rest of
the EAP RADIUS servers for reachability. The servers are checked one by one for
reachability based on their priority from highest to lowest. The first server that is reachable is
used for authentication and the rest of the lower priority EAP RADIUS servers if any, are
skipped from the reachability test.
• If all the EAP RADIUS servers are unreachable, then no further authentication occurs until
the next successful reachability check.
The intervals between two consecutive reachability checks can be configured. The default values
are as follows:
• one minute, if the last check result was unreachable
• three minutes, if the last check result was reachable
A server is marked as unreachable after a number of retries and time-outs. The default number of
retries is 1 and the default time-out value is 3 seconds, but you can also configure these values in
CLI.
December 2017
Configuring Security on VOSS
308
RADIUS configuration using CLI
RFC 3580 RADIUS attributes: IEEE 802.1X Remote Authentication Dial In User
Service
RFC 3580 provides support for EAP and NEAP clients for the following RADIUS attributes:
• Called-Station ID attribute: For IEEE 802.1X authenticators, the Called-Station ID stores the
bridge or access point MAC address in upper case ASCII format, with octet values separated
by a hyphen (-). For example: 00-10-A4-23-19-C0.
In IEEE 802.11, where the SSID is known, the SSID must be appended to the access point
MAC address and separated from the MAC address with a colon (:). For example: 00-10A4-23-19-C0:AP1.
• Calling-Station ID: For IEEE 802.1X authenticators, the Calling-Station ID is used to store the
supplicant MAC address in upper case ASCII format, with octet values separated by a
hyphen (-). For example: 00-10-A4-23-19-C0.
• NAS-Port ID: The NAS-Port ID is used to identify the IEEE 802.1X Authenticator port which
authenticates the Supplicant. The NAS-Port-Id differs from the NAS-Port in that it is a string
of variable length whereas the NAS-Port is a 4 octet value.
RADIUS configuration using CLI
You can configure Remote Access Dial-In User Services (RADIUS) to secure networks against
unauthorized access, and allow communication servers and clients to authenticate users identity
through a central database.
The database within the RADIUS server stores client information, user information, password, and
access privileges, including the use of shared secret.
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration
using CLI.
RADIUS is a fully open and standard protocol, defined by RFCs (Authentication: RFC2865,
accounting RFC2866). With the switch, you use RADIUS authentication to secure access to the
device (console/Telnet/SSH), and RADIUS accounting to track the management sessions for
Command Line Interface (CLI) only.
RADIUS authentication allows the remote server to authenticate logons. RADIUS accounting logs
all of the activity of each remote user in a session on the centralized RADIUS accounting server.
Configuring RADIUS attributes
Configure RADIUS to authenticate user identity through a central database.
Procedure
1. Enter Global Configuration mode:
enable
December 2017
Configuring Security on VOSS
309
RADIUS
configure terminal
2. Configure RADIUS access priority:
radius access-priority-attribute <192-240>
3. Configure RADIUS accounting:
radius accounting {attribute-value <192-240>|enable|include-clicommands}
4. Configure the RADIUS authentication info attribute value:
radius auth-info-attr-value <0-255>
5. Clear RADIUS statistics:
radius clear-stat
6. Configure the value of the CLI commands:
radius cli-commands-attribute <192-240>
7. Configure the value of the command access attribute:
radius command-access-attribute <192-240>
8. Configure the maximum number of servers allowed:
radius maxserver <1-10>
9. Configure the multicast address attribute:
radius mcast-addr-attr-value <0-255>
Example
Switch:1>enable
Switch:1#configure terminal
Configure RADIUS access priority:
Switch:1(config)#radius access-priority-attribute 192
Configure RADIUS accounting to include CLI commands:
Switch:1(config)#radius accounting include-cli-commands
Variable definitions
Use the data in the following table to use the radius command.
Variable
Value
access-priority-attribute <192-240>
Specifies the value of the access priority attribute in the range
of 192 to 240. The default is 192.
accounting {attribute-value <192-240>|
enable|include-cli-commands}
Configures the accounting attribute value, enable accounting,
or configure if accounting includes CLI commands. The default
Table continues…
December 2017
Configuring Security on VOSS
310
RADIUS configuration using CLI
Variable
Value
is false. Use the no option to disable the accounting attribute
value: no radius accounting enable.
auth-info-attr-value <0-255>
Specifies the value of the authentication information attribute in
the range of 0 to 255.The default is 91.
clear-stat
Clears RADIUS statistics.
cli-cmd-count <1–40>
Specifies how many CLI commands, from 1 to 40, before the
system sends a RADIUS accounting interim request. The
default value is 40.
cli-commands-attribute <192-240>
Specifies the value of CLI commands attribute in the range of
192 to 240. The default is 195.
cli-profile
Enable RADIUS CLI profiling. CLI profiling grants or denies
access to users being authenticated by way of the RADIUS
server. You can add a set of CLI commands to the
configuration on the RADIUS server, and you can specify the
command-access more for these commands. The default is
false.
command-access-attribute <192-240>
Specifies the value of the command access attribute in the
range of 192 to 240. The default is 194.
enable
Enable RADIUS authentication globally on the switch.
maxserver <1-10>
Specific to RADIUS authentication, configures the maximum
number of servers allowed for the device. The range is
between 1 and 10. The default is 10.
mcast-addr-attr-value <0-255>
Specifies the value of the multicast address attribute in the
range of 0 to 255. The default is 90.
server host WORD<0–46> key
• host WORD<0–46>
WORD<0–32> [used-by {cli|snmp|web}
Creates a host server. WORD<0–46> signifies an IP
[acct-enable] [acct-port <1–65536> ]
address.
[enable] [port <1–65536> ] [priority <1–
10> ] [retry <0–6> ] [source-ip WORD<0– • key WORD<0–32>
46> ] [timeout <1–60> ]
Specifies a secret key in the range of 0–32 characters.
• used-by {cli|snmp|web}
Specifies how the server functions. Configures the server for
authentication for
- cli
- snmp
- web
• acct-enable
Enables RADIUS accounting on this server. The system
enables RADIUS accounting by default.
• acct-port <1–65536>
Specifies a UDP port of the RADIUS accounting server (1 to
65536). The default value is 1816. The UDP port value set
Table continues…
December 2017
Configuring Security on VOSS
311
RADIUS
Variable
Value
for the client must match the UDP value set for the RADIUS
server.
• enable
Enables the server. The default is true.
• port <1–65536>
Specifies a UDP port of the RADIUS server. The default
value is 1812.
• priority <1–10>
Specifies the priority value for this server. The default is 10.
• retry <0–6>
Specifies the maximum number of authentication retires. The
default is 3.
• source-ip WORD<0–46>
Specifies a configured IP address as the source address
when transmitting RADIUS packets. WORD<0–46> signifies
an IP address.
• timeout <1–60>
Specifies the number of seconds before the authentication
request times out. The default is 3.
sourceip-flag
Enable the source IP so the switch uses a configured source
IP address. If the outgoing interface on the switch fails, a
different source IP address is used — requiring that you make
configuration changes to define the new RADIUS client on the
RADIUS server. To simplify RADIUS server configuration, you
can configure the switch to use a Circuitless IP (CLIP) address
as the source IP and NAS IP address when transmitting
RADIUS packets. A CLIP is not associated with a physical
interface and is always in an active and operational state. You
can configure the switch with multiple CLIP interfaces.
By default, the switch uses the IP address of the outgoing
interface as the source IP, and the NAS Ip address for RADIUS
packets that it transmits.
Configuring RADIUS profile
Use RADIUS CLI profiling to grant or deny CLI command access to users being authenticated by
way of the RADIUS server. You can add a set of CLI commands to the configuration file on the
radius server, and you can specify the command-access mode for these commands. The default
is false.
December 2017
Configuring Security on VOSS
312
RADIUS configuration using CLI
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS CLI profiling:
radius cli-profile
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# radius cli-profile
Enabling RADIUS authentication
About this task
Enable or disable RADIUS authentication globally on the device to allow further configuration to
take place. Use the no option to disable RADIUS authentication globally. The default is false or
disabled.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS authentication globally on the switch:
radius enable
Enabling the source IP flag for the RADIUS server
Before you begin
• To configure the CLIP as the source IP address, you must enable the global RADIUS
sourceip-flag. You can then configure the source-ip address parameter while defining the
RADIUS server on the switch. The source IP address must be a CLIP address, and that you
can configure a different CLIP address for each RADIUS server.
Important:
Use the source IP option only for the RADIUS servers connected to the in-band network.
December 2017
Configuring Security on VOSS
313
RADIUS
About this task
By default, the switch uses the IP address of the outgoing interface as the source IP, and the NAS
IP address for RADIUS packets that it transmits. Enable the source IP so the switch uses a
configured source IP address instead. Therefore, if the outgoing interface on the switch fails, a
different source IP address is used—requiring that you make configuration changes to define the
new RADIUS Client on the RADIUS server.
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration in
CLI.
To simplify RADIUS Server configuration, you can configure the switch to use a Circuitless IP
Address (CLIP) as the source IP and NAS IP address when transmitting RADIUS packets. A CLIP
is not associated with a physical interface and is always in an active and operational state. You
can configure the switch with multiple CLIP interfaces.
The default for radius sourceip-flag is false.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable the RADIUS packet source IP flag:
radius sourceip-flag
Enabling RADIUS accounting
Before you begin
• You must configure a RADIUS server before you can enable RADIUS accounting.
About this task
Enable Remote Access Dial-in User Services (RADIUS) accounting to log all of the activity of each
remote user in a session on the centralized RADIUS accounting server.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS accounting globally:
radius accounting enable
3. Include or exclude CLI commands in RADIUS accounting updates:
radius accounting include-cli-commands
4. Specify the integer value of the CLI commands attribute:
December 2017
Configuring Security on VOSS
314
RADIUS configuration using CLI
radius accounting attribute-value <192–240>
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# radius accounting enable
Switch:1(config)# radius accounting include-cli-commands
Variable definitions
Use the data in the following table to use the radius accounting command.
Variable
Value
enable
Enable RADIUS globally.
include-cli-commands
Include CLI commands in RADIUS accounting updates.
attribute-value <192–240>
Specify the integer value of the CLI commands attribute.
Enabling RADIUS-SNMP accounting
Before you begin
• You must configure a RADIUS server before you can enable RADIUS-SNMP accounting.
About this task
Enable Remote Access Dial-in User Services (RADIUS) Simple Network Managing Protocol
(SNMP) accounting globally. Use SNMP to remotely collect management data. An SNMP agent is
a software process that monitors the UDP port 161 for SNMP messages. Each SNMP message
sent to the agent contains a list of management objects.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable RADIUS Simple Network Management Protocol (SNMP) accounting globally:
radius-snmp acct-enable
3. Set a timer to send a stop accounting message for RADIUS Simple Network Management
Protocol (SNMP):
radius-snmp abort-session-timer <30–65535>
4. Set the timer for re-authentication of the SNMP session:
radius-snmp re-auth-timer <30–65535>
5. Specify the user name for SNMP access:
December 2017
Configuring Security on VOSS
315
RADIUS
radius-snmp user WORD <0–20>
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# radius-snmp acct-enable
Switch:1(config)# radius-snmp abort-session-timer 30
Variable definitions
Use the data in the following table to use the radius-snmp command.
Table 9: Variable definitions
Variable
Value
acct-enable
Enables RADIUS accounting globally. You cannot enable RADIUS
accounting before you configure a valid server. The system disables
RADIUS accounting by default. The default is false. Use the no option to
disable RADIUS accounting globally: no radius-snmp acct-enable
abort-session-timer <30–
65535>
Set the timer, in seconds, to send a stop accounting message. The default
is 180.
re-auth-timer <30–65535>
Sets timer for re-authentication of the SNMP session. The timer value
ranges from 30 to 65535 seconds. The default is 180.
user WORD <0–20>
Specifies the user name for SNMP access. WORD <0–20> specifies the
user name in a range of 0 to 20 characters. The default is snmp_user.
Configuring RADIUS accounting interim request
About this task
Configure RADIUS accounting interim requests to create a log whenever a user executes more
than the number of CLI commands you specify.
If the packet size equals or exceeds 1.8 KB, an interim request packet is sent even if the
configured limit is not reached. Therefore, the trigger to send out the interim request is either the
configured value or a packet size greater than, or equal to 1.8 KB, whichever happens first.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure RADIUS accounting interim requests:
radius cli-cmd-count <1-40>
December 2017
Configuring Security on VOSS
316
RADIUS configuration using CLI
3. Include or exclude CLI commands in RADIUS accounting:
radius accounting include-cli-commands
Important:
You must configure the radius accounting include-cli-commands command
for accounting interim requests to function.
Example
Switch:1> enable
Switch:1# configure terminal
Switch:1(config)# radius cli-cmd-count 30
Switch:1(config)# radius accounting include-cli-commands
Variable definitions
Use the data in the following table to use the radius cli-cmd-count command.
Variable
Value
<1-40>
Specifies how many CLI commands, from 1 to 40, before the system
sends a RADIUS accounting interim request. The default value is 40.
Configuring RADIUS authentication and RADIUS accounting
attributes
About this task
Configure RADIUS authentication and RADIUS accounting attributes to determine the size of the
packets received.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the RADIUS authentication attribute value:
radius command-access-attribute <192-240>
3. Configure the RADIUS accounting attribute value:
radius accounting attribute-value <192-240>
Example
Switch:1>enable
Switch:1#configure terminal
December 2017
Configuring Security on VOSS
317
RADIUS
Switch:1(config)#radius command-access-attribute 192
Switch:1(config)#radius accounting attribute-value 192
Variable definitions
Use the data in the following table to use the radius command.
Variable
Value
access-priority-attribute <192-240>
Specifies the value of the access priority attribute in the range
of 192 to 240. The default is 192.
accounting {attribute-value <192-240>|
enable|include-cli-commands}
Configures the accounting attribute value, enable accounting,
or configure if accounting includes CLI commands. The default
is false. Use the no option to disable the accounting attribute
value: no radius accounting enable.
auth-info-attr-value <0-255>
Specifies the value of the authentication information attribute in
the range of 0 to 255.The default is 91.
clear-stat
Clears RADIUS statistics.
cli-cmd-count <1–40>
Specifies how many CLI commands, from 1 to 40, before the
system sends a RADIUS accounting interim request. The
default value is 40.
cli-commands-attribute <192-240>
Specifies the value of CLI commands attribute in the range of
192 to 240. The default is 195.
cli-profile
Enable RADIUS CLI profiling. CLI profiling grants or denies
access to users being authenticated by way of the RADIUS
server. You can add a set of CLI commands to the
configuration on the RADIUS server, and you can specify the
command-access more for these commands. The default is
false.
command-access-attribute <192-240>
Specifies the value of the command access attribute in the
range of 192 to 240. The default is 194.
enable
Enable RADIUS authentication globally on the switch.
maxserver <1-10>
Specific to RADIUS authentication, configures the maximum
number of servers allowed for the device. The range is
between 1 and 10. The default is 10.
mcast-addr-attr-value <0-255>
Specifies the value of the multicast address attribute in the
range of 0 to 255. The default is 90.
server host WORD<0–46> key
• host WORD<0–46>
WORD<0–32> [used-by {cli|snmp|web}
Creates a host server. WORD<0–46> signifies an IP
[acct-enable] [acct-port <1–65536> ]
address.
[enable] [port <1–65536> ] [priority <1–
10> ] [retry <0–6> ] [source-ip WORD<0– • key WORD<0–32>
46> ] [timeout <1–60> ]
Specifies a secret key in the range of 0–32 characters.
• used-by {cli|snmp|web}
Table continues…
December 2017
Configuring Security on VOSS
318
RADIUS configuration using CLI
Variable
Value
Specifies how the server functions. Configures the server for
authentication for
- cli
- snmp
- web
• acct-enable
Enables RADIUS accounting on this server. The system
enables RADIUS accounting by default.
• acct-port <1–65536>
Specifies a UDP port of the RADIUS accounting server (1 to
65536). The default value is 1816. The UDP port value set
for the client must match the UDP value set for the RADIUS
server.
• enable
Enables the server. The default is true.
• port <1–65536>
Specifies a UDP port of the RADIUS server. The default
value is 1812.
• priority <1–10>
Specifies the priority value for this server. The default is 10.
• retry <0–6>
Specifies the maximum number of authentication retires. The
default is 3.
• source-ip WORD<0–46>
Specifies a configured IP address as the source address
when transmitting RADIUS packets. WORD<0–46> signifies
an IP address.
• timeout <1–60>
Specifies the number of seconds before the authentication
request times out. The default is 3.
sourceip-flag
December 2017
Enable the source IP so the switch uses a configured source
IP address. If the outgoing interface on the switch fails, a
different source IP address is used — requiring that you make
configuration changes to define the new RADIUS client on the
RADIUS server. To simplify RADIUS server configuration, you
can configure the switch to use a Circuitless IP (CLIP) address
as the source IP and NAS IP address when transmitting
RADIUS packets. A CLIP is not associated with a physical
Table continues…
Configuring Security on VOSS
319
RADIUS
Variable
Value
interface and is always in an active and operational state. You
can configure the switch with multiple CLIP interfaces.
By default, the switch uses the IP address of the outgoing
interface as the source IP, and the NAS Ip address for RADIUS
packets that it transmits.
Adding a RADIUS server
About this task
Add a RADIUS server to allow RADIUS service on the switch.
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration
using CLI.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Add a RADIUS server:
radius server host WORD <0–46> key WORD<0-32> [used-by {cli|snmp|
web}] [acct-enable][acct-port <1-65536>] [enable] [port <1-65536>]
[priority <1-10>][retry <0-6>] [source-ip WORD <0–46>] [timeout
<1-60>]
Example
Switch:1>enable
Switch:1#configure terminal
Add a RADIUS server:
Switch:1(config)#radius server host
4717:0000:0000:0000:0000:0000:7933:0001 key testkey1 used-by snmp port
12 retry 5 timeout 10 enable
Variable definitions
Use the data in the following table to use the radius server command.
Variable
Value
host WORD <0–46>
Creates a host server. WORD <0–46> signifies an
IPv4 address in the format A.B.C.D or an IPv6
address in the format x:x:x:x:x:x:x:x. RADIUS
Table continues…
December 2017
Configuring Security on VOSS
320
RADIUS configuration using CLI
Variable
Value
supports IPv4 and IPv6 addresses, with no difference
in functionality or configuration using CLI.
key WORD<0-32>
Specifies a secret key in the range of 0–32
characters.
used-by {cli|snmp|web}
Specifies how the server functions
• cli—configure the server for CLI authentication.
• snmp—configure the server for SNMP
authentication.
• web—configure the server for http(s) authentication
Use the no option to remove a host server: no
radius server host WORD<0–46> used-by
{cli|snmp|web}. The default is cli. The default
command is: default radius server host
WORD<0–46> used-by {cli|snmp|web}
acct-enable
Enables RADIUS accounting on this server. The
system enables RADIUS accounting by default.
acct-port <1-65536>
Specifies a UDP port of the RADIUS accounting
server (1 to 65536). The default value is 1816.
Important:
The UDP port value set for the client must
match the UDP value set for the RADIUS server.
enable
Enables this server. The default is true.
port <1-65536>
Specifies a UDP port of the RADIUS server. The
default value is 1812.
priority <1-10>
Specifies the priority value for this server. The default
is 10.
retry <0-6>
Specifies the maximum number of authentication
retries. The default is 3.
source-ip WORD <0–46>
Specifies a configured IP address as the source
address when transmitting RADIUS packets. WORD
<0–46> signifies an IPv4 address in the format
A.B.C.D or an IPv6 address in the format
x:x:x:x:x:x:x:x. RADIUS supports IPv4 and IPv6
addresses, with no difference in functionality or
configuration using CLI.
timeout <1-60>
Specifies the number of seconds before the
authentication request times out. The default is 3.
December 2017
Configuring Security on VOSS
321
RADIUS
Modifying RADIUS server settings
About this task
Change a specified RADIUS server value without having to delete the server and recreate it again.
RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration
using CLI.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Modify a RADIUS server:
radius server host WORD <0–46> [used-by {cli|eapol|snmp|web}] [key
WORD<0-20>] [port 1-65536] [priority <1-10>] [retry <0-6>] [timeout
<1-20>] [enable] [acct-port <1-65536>] [acct-enable] [source-ip
WORD <0–46>]
Example
Switch:1>enable
Switch:1#configure terminal
Modify a RADIUS server:
Switch:1(config)#radius server host
4717:0000:0000:0000:0000:0000:7933:0001 used-by snmp port 12 retry 5
timeout 10 enable
Variable definitions
Use the data in the following table to use the radius server host command.
Variable
Value
used-by {cli|eapol|snmp| web}
Specifies how the server functions
• cli—configure the server for CLI authentication.
• eapol—configure the server for EAPoL authentication.
• snmp—configure the server for SNMP authentication.
• web—configure the server for Web authentication.
Use the no option to remove a host server: no radius server
host WORD<0–46> used-by {cli|snmp|web}. The default is
cli. The default command is: default radius server host
WORD<0–46> used-by {cli|snmp|web}.
Table continues…
December 2017
Configuring Security on VOSS
322
RADIUS configuration using CLI
Variable
Value
host WORD <0–46>
Configures a host server. WORD <0–46> signifies an IPv4 address
in the format A.B.C.D or an IPv6 address in the format
x:x:x:x:x:x:x:x. RADIUS supports IPv4 and IPv6 addresses, with no
difference in functionality or configuration using CLI.
acct-enable
Enables RADIUS accounting on this server. The system enables
RADIUS accounting by default.
acct-port <1-65536>
Configures the UDP port of the RADIUS accounting server (1 to
65536). The default value is 1813.
Important:
The UDP port value set for the client must match the UDP
value set for the RADIUS server.
enable
Enables the RADIUS server. The default is true.
key WORD <0–20>
Configures the secret key of the authentication client.
port <1-65536>
Configures the UDP port of the RADIUS authentication server (1 to
65536). The default value is 1812.
priority <1–10>
Configures the priority value for this server (1 to 10). The default is
10.
retry <0–6>
Configures the number of authentication retries the server will
accept (0 to 6). The default is 3.
source-ip WORD <0–46>
Specifies a configured IP address as the source address when
transmitting RADIUS packets. To use this option, you must have the
global RADIUS sourceip-flag set to true. RADIUS supports IPv4
and IPv6 addresses, with no difference in functionality or
configuration using CLI.
timeout <1–20>
Configures the number of seconds before the authentication
request times out (1 to 20). The default is 3.
Showing RADIUS information
Display the global status of RADIUS information to ensure you configured the RADIUS feature
according to the needs of the network.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display the global status of RADIUS information:
show radius
Example
Switch:1>show radius
acct-attribute-value : 193
acct-enable : false
acct-include-cli-commands : false
December 2017
Configuring Security on VOSS
323
RADIUS
access-priority-attribute
auth-info-attr-value
command-access-attribute
cli-commands-attribute
cli-cmd-count
cli-profile-enable
enable
igap-passwd-attr
igap-timeout-log-fsize
maxserver
mcast-addr-attr-value
sourceip-flag
supported-vendor-ids
:
:
:
:
:
:
:
:
:
:
:
:
:
192
91
194
195
40
false
false
standard
512
10
90
false
1584, 562
Displaying RADIUS server information
If your system is configured with a RADIUS server you can display the RADIUS server
information.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. To display the RADIUS server information enter the following command:
show radius-server
Note:
If no RADIUS server is configured, the system displays the following message:
no RADIUS server configured
Example
Switch:1>show radius-server
==================================================================================
Radius Server Entries
==================================================================================
ACCT
Name
USED
TIME EN- ACCT ENSOURE
BY SECRET PORT PRIO RETRY OUT ABLED PORT ABLED IP
1.1.1.1
cli ****** 1812 10
1
3
true 1813 true 0.0.0.0
1000:0:0:0:0:0:0:1 cli ****** 1812 10
1
3
true 1813 true 0:0:0:0:0:0:0:0
10.10.10.10
cli ****** 1812 10
1
3
true 1813 true 0.0.0.0
4000:0:0:0:0:0:0:1 cli ****** 1812 10
1
3
true 1813 true 0:0:0:0:0:0:0:0
Configuring RADIUS server reachability
About this task
Use this procedure to configure the RADIUS server reachability settings.
Procedure
1. Enter Global Configuration mode:
December 2017
Configuring Security on VOSS
324
RADIUS configuration using CLI
enable
configure terminal
2. Set the RADIUS request username and password:
radius reachability username WORD<1-16> password WORD<1-16>
3. Set the interval between checks when RADIUS server is reachable:
radius reachability keep-alive-timer <30-600>
4. Set the interval between checks when RADIUS server is unreachable:
radius reachability unreachable-timer <30-600>
Example
Configure the RADIUS server reachability settings:
Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
Set the RADIUS request username and password:
Switch:1(config)#radius reachability username extremenetworks password extremenetworks
Set the interval between checks when RADIUS server is reachable:
Switch:1(config)#radius reachability keep-alive-timer 30
Set the interval between checks when RADIUS server is unreachable:
Switch:1(config)#radius reachability unreachable-timer 30
Variable definitions
Use the data in the following table to use the radius reachability command.
Variable
Value
keep-alive-timer <30-600>
Specifies, in seconds, the interval between checks when
radius server is reachable. The default is 180 seconds.
unreachable-timer <30-600>
Specifies, in seconds, the interval between checks when
radius server is unreachable. The default is 60 seconds.
username WORD<1-16>
Configures the RADIUS request username. The default is
extremenetworks.
password WORD<1-16>
Configures the RADIUS request password. The default is
extremenetworks.
Displaying RADIUS server reachability
About this task
Use this procedure to display the RADIUS server reachability settings.
December 2017
Configuring Security on VOSS
325
RADIUS
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display the RADIUS server reachability settings:
show radius reachability
Example
Display the RADIUS server reachability settings.
Switch:1#show radius reachability
Radius reachability status
Radius reachable server
Time until next check
Radius username
Radius password
Radius keep-alive-timer
Radius unreachable-timer
:
:
:
:
:
:
:
reachable
192.0.2.1
In progress
extremenetworks
extremenetworks
180
60
Showing RADIUS SNMP configurations
Display current RADIUS SNMP configurations.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display the current RADIUS server SNMP configurations:
show radius snmp
Example
Switch:1>show radius snmp
abort-session-timer
acct-enable
user
enable
re-auth-timer
:
:
:
:
:
180
false
snmp_user
false
180
RADIUS configuration using Enterprise Device Manager
You can configure Remote Access Dial-In User Services (RADIUS) to assist in securing networks
against unauthorized access, and allow communication servers and clients to authenticate the
identity of users through a central database.
The database within the RADIUS server stores client information, user information, password, and
access privileges, including the use of shared secret.
RADIUS supports IPv4 and IPv6 addresses with no difference in functionality or configuration in all
but the following case. When adding a RADIUS server in Enterprise Device Manager (EDM) or
December 2017
Configuring Security on VOSS
326
RADIUS configuration using Enterprise Device Manager
modifying a RADIUS configuration in EDM, you must specify if the address type is an IPv4 or an
IPv6 address.
RADIUS is a fully open and standard protocol, defined by RFCs (Authentication: RFC2865,
accounting RFC2866). With the switch, you use RADIUS authentication to secure access to the
device (console/Telnet/SSH), and RADIUS accounting to track the management sessions for
Command Line Interface (CLI) only.
RADIUS authentication allows the remote server to authenticate logons. RADIUS accounting logs
all of the activity of each remote user in a session on the centralized RADIUS accounting server.
Enabling RADIUS authentication
About this task
Enable RADIUS authentication globally to allow all features and functions of RADIUS to operate
with the RADIUS server.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. In the RADIUS Global tab, select the Enable check box.
4. In the MaxNumberServer field, type a value for the maximum number of servers.
5. In the AccessPriorityAttrValue field, type an access policy value (by default, this value is
192).
6. Configure the rest of the parameters in the RADIUS global tab.
7. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. The default is 192.
AcctEnable
Enables RADIUS accounting.
Table continues…
December 2017
Configuring Security on VOSS
327
RADIUS
Name
Description
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value
configured for authentication. The valid values are 192 through
240. The default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid
values are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or
invalid RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in
RADIUS packets. The default is false. RADIUS supports IPv4 and
IPv6 addresses with no difference in functionality or configuration.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
SupportedVendorIds
Shows the vendor IDs that the software supports for RADIUS.
UserName
Specifies the username for RADIUS server reachability. The
default is extremenetworks.
Password
Specifies the password for RADIUS server reachability. The
default is extremenetworks.
Confirm Password
Confirms the password for RADIUS server reachability.
Unreachable Timer
Specifies, in seconds, the interval between checks when radius
server is unreachable. The default is 60 seconds.
Keep Alive Timer
Specifies, in seconds, the interval between checks when radius
server is reachable. The default is 180 seconds.
December 2017
Configuring Security on VOSS
328
RADIUS configuration using Enterprise Device Manager
Enabling RADIUS accounting
Before you begin
• You must set up a RADIUS server and add it to the configuration file of the device before you
can enable RADIUS accounting on the device. Otherwise, the system displays an error
message.
About this task
Enable RADIUS accounting to log all of the activity of each remote user in a session on the
centralized RADIUS accounting server.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. In the RADIUS Global tab, select the AcctEnable check box.
4. In the AcctAttrValue field, type an access policy value (by default, this value is 193).
5. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. The default is 192.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value
configured for authentication. The valid values are 192 through
240. The default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
Table continues…
December 2017
Configuring Security on VOSS
329
RADIUS
Name
Description
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid
values are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or
invalid RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in
RADIUS packets. The default is false. RADIUS supports IPv4 and
IPv6 addresses with no difference in functionality or configuration.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
SupportedVendorIds
Shows the vendor IDs that the software supports for RADIUS.
UserName
Specifies the username for RADIUS server reachability. The
default is extremenetworks.
Password
Specifies the password for RADIUS server reachability. The
default is extremenetworks.
Confirm Password
Confirms the password for RADIUS server reachability.
Unreachable Timer
Specifies, in seconds, the interval between checks when radius
server is unreachable. The default is 60 seconds.
Keep Alive Timer
Specifies, in seconds, the interval between checks when radius
server is reachable. The default is 180 seconds.
Disabling RADIUS accounting
Before you begin
• You cannot globally disable RADIUS accounting unless a server entry exists.
About this task
Disabling RADIUS accounting removes the accounting function from the RADIUS server.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
December 2017
Configuring Security on VOSS
330
RADIUS configuration using Enterprise Device Manager
3. In the RADIUS Global tab, disable RADIUS accounting by clearing the AcctEnable check
box.
4. Click Apply.
Enabling RADIUS accounting interim request
About this task
Enable the RADIUS accounting interim request feature to create a log whenever more than the
specified number of CLI commands are executed.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. In the RADIUS Global tab, type the number of CLI commands in the CliCmdCount field.
4. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. The default is 192.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value
configured for authentication. The valid values are 192 through
240. The default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
Table continues…
December 2017
Configuring Security on VOSS
331
RADIUS
Name
Description
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid
values are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or
invalid RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in
RADIUS packets. The default is false. RADIUS supports IPv4 and
IPv6 addresses with no difference in functionality or configuration.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
SupportedVendorIds
Shows the vendor IDs that the software supports for RADIUS.
UserName
Specifies the username for RADIUS server reachability. The
default is extremenetworks.
Password
Specifies the password for RADIUS server reachability. The
default is extremenetworks.
Confirm Password
Confirms the password for RADIUS server reachability.
Unreachable Timer
Specifies, in seconds, the interval between checks when radius
server is unreachable. The default is 60 seconds.
Keep Alive Timer
Specifies, in seconds, the interval between checks when radius
server is reachable. The default is 180 seconds.
Configuring the source IP option for the RADIUS server
Before you begin
• To configure the CLIP as the source IP address, you must configure the global RADIUS
sourceip-flag parameter as true. You can configure the source-ip address parameter while
you define the RADIUS Server on the switch. The source IP address must be a CLIP
address, and you can configure a different CLIP address for each RADIUS server. For more
information about configuring the source IP address, see Adding a RADIUS server on
page 334.
Important:
Use the source IP option only for the RADIUS servers connected to the in-band network.
About this task
By default, the switch uses the IP address of the outgoing interface as the source IP and NAS IP
address for RADIUS packets that it transmits. When you configure the RADIUS server, this IP
address is used when defining the RADIUS Clients that communicate with it. Therefore, if the
December 2017
Configuring Security on VOSS
332
RADIUS configuration using Enterprise Device Manager
outgoing interface on the switch fails, a different source IP address is used—requiring that you
make configuration changes to define the new RADIUS client on the RADIUS server.
To simplify RADIUS Server configuration, you can configure the switch to use a Circuitless IP
Address (CLIP) as the source IP and NAS IP address when transmitting RADIUS packets. A CLIP
is not associated with a physical interface and is always in an active and operational state. You
can configure the switch with multiple CLIP interfaces.
RADIUS supports IPv4 and IPv6 addresses with no difference in functionality or configuration in all
but the following case. When adding a RADIUS server in Enterprise Device Manager (EDM) or
modifying a RADIUS configuration in EDM, you must specify if the address type is an IPv4 or an
IPv6 address.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. In the RADIUS Global tab, select the SourceIpFlag check box.
4. Click Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. The default is 192.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value
configured for authentication. The valid values are 192 through
240. The default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
Table continues…
December 2017
Configuring Security on VOSS
333
RADIUS
Name
Description
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid
values are 192 through 240. The default value is 195.
AuthInvalidServerAddress
Displays the number of access responses from unknown or
invalid RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in
RADIUS packets. The default is false. RADIUS supports IPv4 and
IPv6 addresses with no difference in functionality or configuration.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
SupportedVendorIds
Shows the vendor IDs that the software supports for RADIUS.
UserName
Specifies the username for RADIUS server reachability. The
default is extremenetworks.
Password
Specifies the password for RADIUS server reachability. The
default is extremenetworks.
Confirm Password
Confirms the password for RADIUS server reachability.
Unreachable Timer
Specifies, in seconds, the interval between checks when radius
server is unreachable. The default is 60 seconds.
Keep Alive Timer
Specifies, in seconds, the interval between checks when radius
server is reachable. The default is 180 seconds.
Adding a RADIUS server
About this task
Add a RADIUS server to allow RADIUS service on the switch.
Remote Dial-In User Services (RADIUS) supports both IPv4 and IPv6 addresses, with no
differences in functionality or configuration in all but the following case. When adding a RADIUS
server or updating a RADIUS server in Enterprise Device Manager (EDM) you must specify if the
address type is an IPv4 or an IPv6 address.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. Click the RADIUS Servers tab.
4. Click Insert.
December 2017
Configuring Security on VOSS
334
RADIUS configuration using Enterprise Device Manager
5. In the AddressType box, select IPv4 or IPv6.
6. In the Address box, type the IP address of the RADIUS server that you want to add.
7. In the UsedBy box, select an option for the user logon.
8. In the SecretKey box, type a secret key.
9. In the SourceIpAddr box, type the IP address to use as the source address in RADIUS
packets.
10. Click Insert.
RADIUS Servers field descriptions
Use the data in the following table to use the RADIUS Servers tab.
Name
Description
AddressType
Specifies either an IPv4 or an IPv6 address. RADIUS supports IPv4
and IPv6 addresses.
Address
Specifies the IP address of the RADIUS server. RADIUS supports IPv4
and IPv6 addresses.
UsedBy
Specifies the user logon.
• cli: for cli logon
• eap: for EAPoL authentication
• snmp: for snmp logon
• web: for HTTP(s) access authentication
The default is cli.
Priority
Specifies the priority of each server, or the order of servers to send
authentication (1 to 10). The default is 10.
TimeOut
Specifies the time interval in seconds before the client retransmits the
packet (1 to 20).
Enable
Enables or disables authentication on the server. The default is true.
MaxRetries
Specifies the maximum number of retransmissions allowed (1 to 6).
The default is 1.
UdpPort
Specifies the UDP port that the client uses to send requests to the
server (1 to 65536). The default value is 1812.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SecretKey
Specifies the RADIUS server secret key, which is the password used
by the client to be validated by the server.
AcctEnable
Enables or disable RADIUS accounting. The default is true.
AcctUdpPort
Specifies the UDP port of the RADIUS accounting server (1 to 65536).
The default value is 1813.
Table continues…
December 2017
Configuring Security on VOSS
335
RADIUS
Name
Description
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SourceIpAddr
Specifies the IP address to use as the source address in RADIUS
packets. To use this option, you must set the global RADIUS
SourceIpFlag to true. RADIUS supports IPv4 and IPv6 addresses.
Reauthenticating the RADIUS SNMP server session
About this task
Specify the number of challenges that you want the RADIUS SNMP server to send to authenticate
a given session.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. Click the RADIUS SNMP tab.
The RADIUS SNMP tab appears.
4. Select the Enable check box.
5. In the ReauthenticateTimer field, enter a value to specify the interval between RADIUS
SNMP server reauthentications.
The timer for reauthentication of the RADIUS SNMP server session is enabled.
Important:
To abort the RADIUS SNMP server session, enter a value for the AbortSessionTimer,
and then click Enable.
6. Select the AcctEnable check box if desired.
7. Click Apply.
RADIUS SNMP field descriptions
Use the data in the following table to use the RADIUS SNMP tab.
Name
Description
Enable
Enables or disables timer authentication on the server. The default is
true.
AbortSessionTImer
Specifies the allowable time, in seconds, before aborting the RADIUS
SNMP server session (30 to 65535). The default is 180.
Table continues…
December 2017
Configuring Security on VOSS
336
RADIUS configuration using Enterprise Device Manager
Name
Description
ReAuthenticateTimer
Specifies the time, in seconds, between reauthentications of the RADIUS
SNMP server (30 to 65535). The default is 180.
AcctEnable
Enables or disables the RADIUS SNMP session timer.
UserName
Specifies the user name for the RADIUS SNMP accounting.
Configuring RADIUS SNMP
About this task
Configure RADIUS SNMP parameters for authentication and session times.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. Select the RADIUS SNMP tab.
4. Select the Enable check box to enable RADIUS SNMP.
5. In the AbortSessionTimer field, enter the period after which the session expires in
seconds.
6. In the ReAuthenticateTimer field, enter the period of time the system waits before
reauthenticating in seconds.
7. Select the AcctEnable check box to enable RADIUS accounting for SNMP.
8. In the UserName field, type the RADIUS SNMP user name.
9. Click Apply.
RADIUS SNMP field descriptions
Use the data in the following table to use the RADIUS SNMP tab.
Name
Description
Enable
Enables or disables timer authentication on the server. The default is
true.
AbortSessionTImer
Specifies the allowable time, in seconds, before aborting the RADIUS
SNMP server session (30 to 65535). The default is 180.
ReAuthenticateTimer
Specifies the time, in seconds, between reauthentications of the RADIUS
SNMP server (30 to 65535). The default is 180.
AcctEnable
Enables or disables the RADIUS SNMP session timer.
UserName
Specifies the user name for the RADIUS SNMP accounting.
December 2017
Configuring Security on VOSS
337
RADIUS
Modifying a RADIUS configuration
About this task
Use this procedure to modify an existing RADIUS configuration or single function such as
retransmissions and RADIUS accounting.
RADIUS supports IPv4 and IPv6 addresses with no difference in functionality or configuration in all
except the following case. When modifying a RADIUS configuration in Enterprise Device Manager
(EDM), you must specify if the address type is an IPv4 or an IPv6 address.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. Click the RADIUS Servers tab.
4. In the row and field to modify, type the information or use the lists to make a selection.
Access the lists by double-clicking in a field.
5. When you are done with modifying the RADIUS configuration, click Apply.
RADIUS Servers field descriptions
Use the data in the following table to use the RADIUS Servers tab.
Name
Description
AddressType
Specifies either an IPv4 or an IPv6 address. RADIUS supports IPv4
and IPv6 addresses.
Address
Specifies the IP address of the RADIUS server. RADIUS supports IPv4
and IPv6 addresses.
UsedBy
Specifies the user logon.
• cli: for cli logon
• eap: for EAPoL authentication
• snmp: for snmp logon
• web: for HTTP(s) access authentication
The default is cli.
Priority
Specifies the priority of each server, or the order of servers to send
authentication (1 to 10). The default is 10.
TimeOut
Specifies the time interval in seconds before the client retransmits the
packet (1 to 20).
Enable
Enables or disables authentication on the server. The default is true.
Table continues…
December 2017
Configuring Security on VOSS
338
RADIUS configuration using Enterprise Device Manager
Name
Description
MaxRetries
Specifies the maximum number of retransmissions allowed (1 to 6).
The default is 1.
UdpPort
Specifies the UDP port that the client uses to send requests to the
server (1 to 65536). The default value is 1812.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SecretKey
Specifies the RADIUS server secret key, which is the password used
by the client to be validated by the server.
AcctEnable
Enables or disable RADIUS accounting. The default is true.
AcctUdpPort
Specifies the UDP port of the RADIUS accounting server (1 to 65536).
The default value is 1813.
The UDP port value set for the client must match the UDP value set for
the RADIUS server.
SourceIpAddr
Specifies the IP address to use as the source address in RADIUS
packets. To use this option, you must set the global RADIUS
SourceIpFlag to true. RADIUS supports IPv4 and IPv6 addresses.
Deleting a RADIUS configuration
About this task
Delete an existing RADIUS configuration.
Procedure
1. In the navigation tree, open the following folders: Configuration > Security > Control
Path.
2. Click RADIUS.
3. Click the RADIUS Servers tab.
4. Identify the configuration to delete by clicking anywhere in the row.
5. Click Delete.
Configuring RADIUS server reachability
About this task
Use this procedure to configure the RADIUS server reachability settings.
Procedure
1. In the navigation tree, expand the following folders: Configuration > Security > Control
Path.
December 2017
Configuring Security on VOSS
339
RADIUS
2. Click RADIUS.
3. Click the RADIUS Global tab.
4. In the UserName field, type the reachability user name.
5. In the Password field, type the reachability password.
6. In the Confirm Password field, retype the reachability password.
7. In the Unreachable Timer field, type the interval in seconds between checks when the
RADIUS server is unreachable.
8. In the KeepAlive Timer field, type the interval in seconds between checks when the
RADIUS server is reachable.
9. Click the Apply.
RADIUS Global field descriptions
Use the data in the following table to use the RADIUS Global tab.
Name
Description
Enable
Enables the RADIUS authentication feature globally.
MaxNumberServer
Specifies the maximum number of servers to be used, between 1
and 10, inclusive.
AccessPriorityAttrValue
Specific to RADIUS authentication. Specifies the vendor-specific
attribute value of the access-priority attribute to match the type
value set in the dictionary file on the RADIUS server. The valid
values are 192 through 240. The default is 192.
AcctEnable
Enables RADIUS accounting.
AcctAttriValue
Specific to RADIUS accounting. Specifies the vendor-specific
attribute value of the CLI-command attribute to match the type
value set in the dictionary file on the RADIUS server. This value
must be different from the access-priority attribute value
configured for authentication. The valid values are 192 through
240. The default value is 193.
AcctIncludeCli
Specifies whether you want CLI commands included in RADIUS
accounting requests.
ClearStat
Clears RADIUS statistics from the device.
McastAttributeValue
Specifies the value of the Mcast attribute. The valid values are 0
through 255. The default value is 90.
AuthInfoAttrValue
Specifies the value of the authentication information attribute. The
valid values are 0 through 255. The default value is 91.
CommandAccessAttrValue
Specifies the value of the command access attribute. The valid
values are 192 through 240. The default value is 194.
CliCommandAttrValue
Specifies the value of the CLI command attribute. The valid
values are 192 through 240. The default value is 195.
Table continues…
December 2017
Configuring Security on VOSS
340
RADIUS configuration using Enterprise Device Manager
Name
Description
AuthInvalidServerAddress
Displays the number of access responses from unknown or
invalid RADIUS servers.
SourceIpFlag
Includes a configured IP address as the source address in
RADIUS packets. The default is false. RADIUS supports IPv4 and
IPv6 addresses with no difference in functionality or configuration.
CliCmdCount
Gives the value for the CLI command count. Specify an integer
from 1 to 40. The default is 40.
CliProfEnable
Enables RADIUS CLI profiling.
SupportedVendorIds
Shows the vendor IDs that the software supports for RADIUS.
UserName
Specifies the username for RADIUS server reachability. The
default is extremenetworks.
Password
Specifies the password for RADIUS server reachability. The
default is extremenetworks.
Confirm Password
Confirms the password for RADIUS server reachability.
Unreachable Timer
Specifies, in seconds, the interval between checks when radius
server is unreachable. The default is 60 seconds.
Keep Alive Timer
Specifies, in seconds, the interval between checks when radius
server is reachable. The default is 180 seconds.
December 2017
Configuring Security on VOSS
341
Chapter 9: Secure AAA server
communication
An AAA server program deals with requests for access to computer resources and
provides authentication, authorization, and accounting (AAA) services. The switch communicates
with AAA servers using Remote Authorization Dial-in User Service (RADIUS) and Terminal Access
Controller Access Control System Plus (TACACS+). It is not sufficient to protect authentication
information with only RADIUS or TACACS+. To provide additional security to the traffic in the
communication channel, the software adds support for IP Security (IPsec) for the AAA server
communication.
IPsec provides the ability to secure RADIUS and TACACS+ servers against unwanted traffic by
filtering on specific network adapters, by allowing or blocking specific protocols and enabling the
server to selectively allow traffic from specific source IP addresses.
The following diagram shows the communication between AAA client and AAA server. The IPsec
module on the client encrypts the packets to the AAA server and decrypts the packets from the AAA
server. Similarly, the IPsec module on the server encrypts or decrypts the packets to or from the
client.
December 2017
Configuring Security on VOSS
342
To implement secure AAA server communication, the software supports the following:
• IPsec with Internet Key Exchange (IKE) protocol for both IPv4 and IPv6.
• IPv4 implementation of IPsec, is mainly for protocols involved in communication with AAA
servers, that is, RADIUS and TACACS+. However, it supports all UDP and TCP protocols.
• Digital signature as authentication method for IKE, in addition to the pre-shared key
authentication method.
• Automatic and manual keying for session establishment. IKE is the default automated key
management protocol for IPsec.
• IKEv1 and IKEv2 protocol.
IP security (IPsec)
Internet Protocol Security (IPsec) ensures the authenticity, integrity, and confidentiality of data at the
network layer of the Open System Interconnection (OSI) stack.
IPsec secures the AAA server communication using packet filtering and cryptography. Cryptography
provides user authentication, ensures data confidentiality and integrity, and enforces trusted
communication. For more information on IPsec and its configuration, see IPsec on page 229.
Internet Key Exchange (IKE) protocol
Internet Key Exchange (IKE) protocol sets up a Security Association (SA) in IPsec. SA is the
relationship between two network devices that define attributes such as authentication mechanism,
encryption and hash algorithms, exchange mode, and key length for secured communications. SA
should be agreed to by both the devices.
The IKE protocol is based on Internet Security Association and Key Management Protocol
(ISAKMP) which helps in building a secured connection between two or more hosts using the
following concepts:
• authentication
• encryption
• key management
• security association (SA)
• policy
IKE uses a key exchange mechanism based on the Diffie-Hellman encryption key exchange
protocol. IKE provides periodic automatic key renegotiation, pre-shared and public key
infrastructures, and anti-replay defence. It is layered on top of the UDP protocol and uses UDP port
500 to exchange information between peers.
IKE phases:
A switch negotiates with a peer using IKE in two phases.
• In phase 1, the switch negotiates the IKE SA to protect the negotiations that take place in
phase 2. The SAs negotiated in phase 1 are bi-directional, and are applicable to traffic
originating in both directions.
• In phase 2, the peers negotiate and establish the SAs for IPsec and session keys through
quick mode. A Diffie-Hellman key exchange is done to achieve perfect forward secrecy, which
ensures that the compromise of a single key does not permit access to data other than that
December 2017
Configuring Security on VOSS
343
Secure AAA server communication
protected by that compromised key. The SAs in phase 2 are uni-directional. They are used
according to the direction of the traffic. The quick mode is initiated by either of the peer
endpoints irrespective of who initiated phase 1.
IKE modes:
There are two modes of exchanging messages in Phase 1:
• Main mode
This is a secure mode of exchanging messages. It allows protection of the confidentiality of the
peers during negotiation. This mode provides more flexibility in proposals compared to
aggressive mode. As the main mode requires a total of 6 messages to be exchanged between
peers, it is more time consuming.
• Aggressive mode
This mode is less secure than the main mode. It does not protect the confidentiality of the
peers. However, it requires only a total of 3 messages to be exchanged for phase 1, which
makes this mode faster than the main mode. The number of total message exchange is
reduced in this mode because some messages are embedded in other messages.
The mode of message exchange in phase 2 is called quick mode. In this mode a total of 3
messages are exchanged between the peers. This mode is used to establish IPsec SA. The
negotiations in the quick mode are protected during the phase 1 negotiations in main mode.
IKE policies:
A combination of security parameters used during the IKE SA negotiation is called a policy. The
policies must be configured on both the peers and at least one of the policies should match on both
ends to have a successful negotiation for. If a policy is not configured on both peers or if a policy
does not match on both ends, an SA cannot be setup and data cannot be exchanged.
The following are the attributes of an IKE policy:
• Encryption — This is the cryptographic algorithm that is sent in the proposal by the initiator or
responder during the phase 1 negotiation. This cryptographic algorithm is used to encrypt
phase 2 negotiation messages. The supported encryption algorithms are:
- DES
- 3DES
- AES
• Hash function — This function is used as part of the authentication mechanism during the
authentication of peers in phase 1. It is always used with the authentication algorithm. The
supported values are:
- MD5
- SHA1
- SHA256
• Authentication — This process authenticates the peers. Following are the supported
authentication modes:
- Digital Signatures — The digital signatures use digital certificate which is signed by the
certificate authority (CA) for authentication.
December 2017
Configuring Security on VOSS
344
- Pre-shared keys (PSK) — The PSKs are shared out-of-band between the peers before
hand. Using PSK in main mode exchange limits identifying the peer to an IP address (and
not host name).
• Diffe-Hellman (DH) Group — This is an algorithm used by two peers that are unknown to each
other to establish a shared secret key. This key that is decided during phase 1 is used to
encrypt subsequent message exchanges during phase 2 to establish security associations
(SA) and security policies (SP) for IPsec sessions. The supported DH Groups are as follows:
- Group 1 (MODP768)
- Group 2 (MODP1024)
- Group 14 (MODP2048)
• Lifetime — This is a time and data limit agreed by peers to protect an SA from getting
compromised. It ensures that the peers renegotiate the SAs just before the lifetime value
expires, that is, when the time limit is reached.
• Dead-peer detection – This is a process in which the switch waits for a response from peer for
a limited number of seconds before declaring the peer as dead. It is a keep-alive mechanism
required to perform IKE peer fail-over and to reclaim lost resources by freeing up SAs that are
no longer in use.
IKE authentication:
The security gateway of a peer must authenticate the security gateway of the peer it intends to
communicate with. This ensures that IKE SAs are established between the peers. The switch
supports the following two authentication methods:
• Digital certificates (using RSA algorithms)
For digital certificate authentication, the initiator signs the message interchange data using the
private key. The responder uses the public key of the initiator to verify the signature. The public
key is exchanged by messages containing an X.509v3 certificate. This certificate provides an
assurance that the identity of a peer, as represented in the certificate, is associated with a
particular public key.
• Pre-shared keys
Pre-shared key authentication, the same secret must be configured on both security gateways
before the gateways can authenticate each other.
Signature authentication:
The switch receives the digital signature of its peer in a message exchange. The switch verifies the
digital signature by using the public key of the peer. The certificate of the peer, received during the
IKE negotiation, contains the public key. To ensure that the peer certificate is valid, the switch
verifies its digital signature by using the certificate authority (CA) public key contained in the root CA
certificate. The switch and its IKE peer require at least one common trusted root CA for
authentication to work.
When IKE is configured to use digital certificates for authentication, the certificates are retrieved
from the trusted certificate store in the switch, based on the provided distinguished name. The
certificates received from the peer are verified with the public key.
IKEv2
The software supports IKEv2, which is an enhancement of the IKEv1 protocol. All IKEv2
communications consist of pairs of messages: a request and a response. The IKEv2 protocol uses a
December 2017
Configuring Security on VOSS
345
Secure AAA server communication
non-reliable transport protocol (UDP using ports 500). The pairs of exchanges allows ensuring of
reliability to the IKEv2 protocol, as there is an expected response for each request.
IKEv2 provides a number of improvements over IKEv1, including the following:
• A simplified initial exchange of messages that reduces latency and increases connection
establishment speed.
- IKEv2 makes use of a single four-message exchange instead of the eight different initial
exchanges of IKEv1.
- It improves upon IKEv1's latency by making the initial exchange to be of two round trips of
four messages, and allows the ability to add setup of a child SA on that exchange.
• Improved reliability through the use of sequence numbers, and acknowledgements.
- IKEv2 reduces the number of possible error states by making the protocol reliable as all
messages are acknowledged and sequenced.
• IKE SA integrity algorithms are supported only in IKEv2.
• Traffic Selectors are specified in IKEv2 by their own payloads type and not by overloading ID
payloads. This makes the Traffic Selectors more flexible.
• No lifetime negotiations for IKEv2, but in IKEv1 SA lifetimes are negotiated.
IKEv2 OCSP validation:
Confirmation of certificate reliability is essential to achieve the security assurances public key
cryptography provides. One fundamental element of such confirmation is reference to certificate
revocation status. IKEv2 enables the use of Online Certificate Status Protocol (OCSP) for in-band
signaling of certificate revocation status. The IKEv2 supports the authentication methods as pre
shared key and digital certificate. It allows the verification of the digital certificate sent by the peer
December 2017
Configuring Security on VOSS
346
IKE configuration for Secure AAA server using CLI
whether it is revoked or not. This is done through a method by sending the digital certificate to the
OCSP server. The OCSP server in turn verifies the certificate status and sends the response back.
Based on the response from OCSP server, the device validates the certificate.
Secure AAA server communication and IKE limitations
This section describes the limitations associated with secure AAA server communication feature.
• AAA server protection is provided only for SSH/CLI/WEB/Telnet/Console Access Protection.
• FQDN (Fully Qualified Domain Names) is not supported to identify endpoints. This is because,
the user configures the IP address for the AAA servers in the switch.
• XAUTH ( 2-factor authentication ) is not supported.
• Domain of Interpretation is not supported other than for IPsec.
• NAT Traversal is not supported.
• Custom IKE messages and vendor ID for the messages are not supported.
• IKE fragmentation is not supported.
IKE configuration for Secure AAA server using CLI
Configuring an IKE Phase 1 profile
About this task
Use the following procedure to configure an IKE Phase 1 profile.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an IKE phase 1 profile:
ike profile WORD<1–32>
3. Configure the IKE phase 1 profile hash algorithm:
ike profile WORD<1–32> hash-algo <md5|sha|sha256|any>
4. Configure the IKE phase 1 profile encryption algorithm:
ike profile WORD<1–32> encrypt-algo <desCbc|3DesCbc|aesCbc|any>
5. Configure the IKE phase 1 profile Diffie-Hellman group:
ike profile WORD<1–32> dh-group <modp768|modp1024|modp2048|any>
December 2017
Configuring Security on VOSS
347
Secure AAA server communication
6. Configure the IKE phase 1 encryption key length:
ike profile WORD<1–32> encrypt-key-len <128|192|256>
7. Configure the IKE phase 1 lifetime, in seconds:
ike profile WORD<1–32> lifetime-sec <0-4294967295>
8. (Optional) Delete the IKE Phase 1 profile:
no ike profile WORD<1–32>
Variable definition
Use the data in the following table to use the ike profile commands.
Variable
Value
profile WORD<1–32>
Specifies the IKE profile name.
hash-algo <md5|sha|
sha256|any>
Specifies the type of hash algorithm. The default value is sha256. To set this
option to the default value, use the default operator with the command:
default ike profile WORD<1–32> hash-algo
encrypt-algo <desCbc|
3DesCbc|aesCbc|any>
Specifies the type of encryption algorithm. The default value is aesCbc. To set
this option to the default value, use the default operator with the command:
default ike profile WORD<1–32> encrypt-algo
dh-group <modp768|
modp1024|modp2048|
any>
Specifies the Diffie-Hellman (DH) group. DH groups categorize the key used
in the key exchange process, by its strength. The key from a higher group
number is more secure. The default value is modp2048. To set this option to
the default value, use the default operator with the command: default ike
profile WORD<1–32> dh-group
encrypt-key-len <128|192| Specifies the length of the encryption key. The default is 256. To set this
256>
option to the default value, use the default operator with the command:
default ike profile WORD<1–32> encrypt-key-len
lifetime-sec
<0-4294967295>
Specifies the lifetime value in seconds. The lifetime ensures that the peers
renegotiate the SAs just before the expiry of the lifetime value, to ensure that
Security Associations are not compromised. The default value is 86400
seconds. To set this option to the default value, use the default operator with
the command: default ike profile WORD<1–32> lifetime-sec
Creating an IKE Phase 1 policy
IKE policy establishes Security Associations (SA) and message exchanges with IKE peers to
successfully set up secured channels.
About this task
Use the following procedure to create the IKE Phase 1 policy.
Procedure
1. Enter Global Configuration mode:
December 2017
Configuring Security on VOSS
348
IKE configuration for Secure AAA server using CLI
enable
configure terminal
2. Create an IKE Phase 1 profile:
ike policy WORD<1–32> laddr WORD<1–256> raddr WORD<1–256>
3. (Optional) Delete the IKE Phase 1 profile:
no ike policy WORD<1-32>
Variable definition
Use the data in the following table to use the ike policy <1–320> laddr command.
Variable
Value
policy WORD<1–32>
Specifies the name of the IKE Phase 1 policy.
laddr WORD<1–256>
Specifies the local IPv4 or IPv6 address.
raddr WORD<1–256>
Specifies the remote IPv4 or IPv6 address.
Configuring profile to be used for IKE Phase 1 policy
Use the following procedure to configure the IKE Phase1 profile to be used for the IKE Phase 1
policy.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the profile name to be used for IKE Phase 1 policy:
ike policy WORD<1–32> profile WORD<1–32>
Variable definition
Use the data in the following table to use the ike policy WORD<1–32> profile WORD<1–
32> command.
Variable
Value
policy WORD<1–32>
Specifies the name of the IKE Phase 1 policy.
profile WORD<1–32>
Specifies the name of the IKE Phase 1 profile to be used for the policy. To set
this option to the default value, use the default operator with the command:
default ike policy WORD<1-32> profile
December 2017
Configuring Security on VOSS
349
Secure AAA server communication
Configuring IKE Phase 2 perfect forward secrecy
Use the following procedure to configure IKE Phase 2 perfect forward secrecy (PFS).
About this task
A Diffie-Hellman key exchange is done to achieve perfect forward secrecy. This ensures that the
compromise of even a single key does not permit access to data other than that protected by that
key.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the IKE Phase 2 perfect forward secrecy:
ike policy WORD<1–32> p2–pfs <enable|disable> [use-ike-group
<enable|disable>][dh-group <modp768|modp1024|modp2048|any]
3. (Optional) Disable Phase 2 perfect forward secrecy:
no ike policy <1–32> p2–pfs
Variable definition
Use the data in this table to use the ike policy WORD<1–32> p2–pfs command.
Variable
Value
policy WORD<1–32>
Specifies the name of the IKE Phase 1 policy.
p2–pfs
Enables the Phase 2 perfect forward secrecy.
dh-group <modp768|
modp1024|modp2048|
any>
Configures the Diffie-Hellman (DH) group to be used for Phase 2 perfect
forward secrecy (PFS). The default value is modp2048. To set this option to
the default value, use the default operator with the command: default ike
policy WORD<1–32> p2–pfs dh-group
use-ike-group <enable|
disable>
Specifies whether to use the IKE Phase 1 DH group for Phase 2 PFS or not
to use it. The default is enable. To set this option to the default value, use the
default operator with the command: default ike policy WORD<1–32>
p2–pfs use-ike-group
Configuring the IKE authentication method
Use the following procedure to configure the IKE authentication method.
December 2017
Configuring Security on VOSS
350
IKE configuration for Secure AAA server using CLI
About this task
As part of the IKE protocol, one security gateway must authenticate another security gateway to
make sure that IKE SAs are established with the intended party. The switch supports two
authentication methods:
• Digital certificates
Configure peer identity name for IKE phase 1 and revocation check method.
• Pre-shared keys
The same secret must be configured on both security gateways before the gateways can
authenticate each other.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the IKE authentication method using any one of the following:
Digital certificate: ike policy WORD<1–32> auth-method digital-certificate
[peer-name WORD <1-64> | revocation-method <crl|none|ocsp>]
Or
Pre-shared key: ike policy WORD<1–32> auth-method pre-shared-key
3. (Optional) Disable the IKE authentication method:
no ike policy WORD<1-32> auth-method digital-certificate peer-name
Variable definition
Use the data in the following table to use the ike policy WORD<1–32> auth-method
command.
Variable
Value
policy WORD<1–32>
Specifies the name of the IKE Phase 1 policy.
auth-method
Specifies the authentication method. The default is pre-shared key. To set this
option to the default value, use the default operator with the command:
default ike policy WORD<1–32> auth-method
pre-shared-key
WORD<0–32>
Specifies the pre-shared key.
digital-certificate peername WORD <1-64>
Specifies peer identity name for IKE phase 1.
digital-certificate
revocation-checkmethod<crl|none|ocsp>
Specifies the revocation check method. To set this option to the default value,
use the default operator with the command: default ike policy
WORD<1–32> revocation-check-method
December 2017
Configuring Security on VOSS
351
Secure AAA server communication
Configuring dead-peer detection timeout
Use the following procedure to configure the dead-peer detection (DPD) timeout for the IKE Phase
1 policy.
About this task
Dead Peer Detection (DPD) timeout is the interval for which the system sends messages to a peer
to confirm its availability.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure the DPD timeout:
ike policy WORD<1–32> dpd-timeout <1–4294967295>
Variable definition
Use the data in the following table to use the ike policy WORD<1–32> dpd-timeout
command.
Variable
Value
policy WORD<1–32>
Specifies the name of the IKE Phase 1 policy.
dpd-timeout <1–
4294967295>
Specifies the dead peer detection timeout in seconds for the IKE Phase 1
policy. The default is 300 seconds. To set this option to the default value, use
the default operator with the command: default ike policy WORD<1–
32> dpd-timeout
Enabling the admin state of IKE Phase 1 policy
Use the following procedure to enable admin state of IKE Phase 1 policy.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable admin state of IKE Phase 1 policy:
ike policy WORD<1–32> enable
3. (Optional) Disable IKE Phase 1 policy:
no ike policy WORD<1–32> enable
December 2017
Configuring Security on VOSS
352
IKE configuration for Secure AAA server using CLI
Displaying IKE profiles
Use the following procedure to display the configured IKE profiles:
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all IKE profiles:
show ike profile
3. Display a specific ike profile:
show ike profile WORD<1–32>
Example
Switch:1#show ike profile
========================================================================================
==
IKE Profile
========================================================================================
==
Hash
Encrypt Encrypt
DH
Exchange
Lifetime
Name
Algo
Algo
Key Len Group
Mode
seconds
----------------------------------------------------------------------------------------DFLT_IKE_PROFILE
sha256 aesCbc 256
modp2048 main
86400
ikePRO
sha256 aesCbc 256
modp2048 main
180
test
sha256 aesCbc 256
modp2048 main
86400
Variable definition
Use the data in the following table to use the show ike profile command.
Variable
Value
profile WORD<1–32>
Specifies the name of the profile to be displayed.
Job aid
The following table describes the fields in the output for the show ike profile command.
Parameter
Description
Name
Specifies the name of the IKE Phase 1 profile.
Hash Algo
Specifies the hash authorization algorithm. The
supported values are md5, sha, and sha256.
.
Table continues…
December 2017
Configuring Security on VOSS
353
Secure AAA server communication
Parameter
Description
Encrypt Algo
Specifies the crytographic algorithm. The supported
values are desCbc, 3DesCbc, and aesCbc.
Encrypt Key Len
Specifies the length of the encryption key. The
supported values are 128, 192 and 256.
DH Group
Specifies the Diffe-Hellman (DH) group. The
supported values are modp768, modp1024, and
modp2048.
Exchange Mode
Specifies the IKE mode. The supported mods are
main mode and aggressive mode.
Lifetime seconds
Specifies the lifetime value in seconds. The value
ranges from 0 to 4294967295 seconds.
Displaying IKE policies
Use the following procedure to display the configured IKE policies
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all IKE policies:
show ike policy
3. Display a specific IKE policy:
show ike policy WORD<1–32>
4. Display a specific IKE policy at local address.
show ike policy WORD<1–32> laddr WORD<1–256>
5. Display a specific IKE policy at remote address.
show ike policy WORD<1–32> laddr WORD<1–256> raddr WORD<1–256>
Example
Switch:1#show ike policy
================================================================================
==========
IKE Policy
================================================================================
==========
Policy
Addr
Profile
Name
Type Local Address
Remote
Address
Name
-----------------------------------------------------------------------------------------
December 2017
Configuring Security on VOSS
354
IKE configuration for Secure AAA server using CLI
iketest3
192.168.149.207
v1pol
192.168.152.152
IPv4 192.168.152.104
test
IPv4 192.168.152.104
ikepro
================================================================================
==========
IKE Policy
================================================================================
==========
Policy
Profile
RevocationCheck
peer-identity
Name
Version
Auth-Method
Pre-Shared Key
Method
name
-----------------------------------------------------------------------------------------iketest3
2
digital-cert
ocsp
v1pol
1
digital-cert
ocsp
================================================================================
==========
IKE Policy
================================================================================
==========
Policy
DPD
Admin
Oper
Use IKE
Name
Timeout
State State P2 PFS DH Grp DH Group IntfId
----------------------------------------------------------------------------------------iketest3
300
enable up
disable enable modp1024 3047
v1pol
300
enable up
disable enable modp1024 3047
Variable definition
Use the data in the following table to use the show ike policy command.
Variable
Value
policy WORD<1–32>
Specifies the name of the policy to be displayed.
laddr WORD<1–256>
Specifies the local IPv4 or IPv6 address.
raddr WORD<1–256>
Specifies the remote IPv4 or IPv6 address.
Job aid
The following table describes the fields in the output for the show ike policy command.
Parameter
Description
Policy Name
Specifies the name of the policy that is displayed.
Table continues…
December 2017
Configuring Security on VOSS
355
Secure AAA server communication
Parameter
Description
Addr Type
Specifies whether the IP address is an IPv4 or IPv6
address.
Local Address
Specifies the local IPv4 or IPv6 address.
Remote Address
Specifies the remote IPv4 or IPv6 address.
Profile Name
Specifies the name of the profile.
Profile version
Specifies the version of the profile, version 1 or
version 2.
Auth-Method
Specifies the authentication method. The supported
values are digital-certificate and pre-shared-key.
Revocation-Check Method
Specifies the revocation check method as OCSP,
CRL or none.
Peer-identity name
Specifies peer identity name for IKE phase 1.
Pre-Shared Key
Specifies the pre-shared key value.
DPD Timeout
Specifies the Dead-peer detection timeout in
seconds. The supported value ranges from 1 to
4294967295 seconds.
Admin State
Specifies whether the IKE admin state is enabled or
disabled.
Oper State
Specifies whether the policy is operational or not.
The values are up and down.
P2 PFS
Specifies whether Phase 2 perfect forward secrecy
is enabled or not.
Use IKE DH Grp
Specifies whether IKE can use the DH group or not.
The values are enable and disable.
DH Group
Specifies the type of DH group selected. The
supported values are modp768, modp1024, and
modp2048.
IntfId
Specifies the ID of the interface on which the policy
is applied.
Displaying IKE security association
Use the following procedure to display the configured IKE Phase 1 for version 1 and 2 security
associations (SA).
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all the security associations:
December 2017
Configuring Security on VOSS
356
IKE configuration for Secure AAA server using CLI
show ike sa
3. Display security associations for IKE Phase 1 for version 1:
show ike sa version v1 WORD<1-32> laddr WORD<1-256> raddr
WORD<1-256>
4. Display security associations for IKE Phase 1 for version 2:
show ike sa version v2 WORD<1-32> laddr WORD<1-256> raddr
WORD<1-256>
Example
Switch:1(config)#show ike sa version v1
========================================================================================
==
IKE V1 Phase 1 Security Association
========================================================================================
==
Policy
Addr
Initiator/
Name
Type Local Address
Remote Address
Responder
----------------------------------------------------------------------------------------ikepsk
IPv4 192.0.2.5
198.51.100.15
Initiator
========================================================================================
==
IKE V1 Phase 1 Security Association
========================================================================================
==
DPD
Hash
Encrypt
DH
Lifetime
Name
Timeout
Algo
Algo
Group
seconds
Status
----------------------------------------------------------------------------------------ikepsk
300
sha
aesCbc modp2048 3600
active
Switch:1(config)#show ike sa version v2
========================================================================================
==
IKE V2 Phase 1 Security Association
========================================================================================
==
Policy
Addr
Initiator/
Name
Type Local Address
Remote Address
Responder
----------------------------------------------------------------------------------------v2policy
IPv4 203.0.113.6
198.51.100.20
Responder
========================================================================================
==
IKE V2 Phase 1 Security Association
========================================================================================
==
DPD
Hash
Encrypt Integrity DH
Lifetime
Name
Timeout
Algo
Algo
Algo
Group
seconds
Status
December 2017
Configuring Security on VOSS
357
Secure AAA server communication
----------------------------------------------------------------------------------------v2policy
300
sha256 aesCbc
modp2048
86400
active
Variable definition
Use the data in the following table to use the show ike sa command.
Variable
Value
sa
Specifies the IKE security association identifier.
version v1 WORD<1-32>
laddr WORD<1-256>
raddr WORD<1-256>
Specifies the local IPv4 or IPv6 address for IKE Phase 1, version 1 SA.
version v2 WORD<1-32>
laddr WORD<1-256>
raddr WORD<1-256>
Specifies the local IPv4 or IPv6 address for IKE Phase 1, version 2 SA.
Job aid
The following table describes the fields in the output for the show ike profile command.
Parameter
Description
Policy Name
Specifies the name of the IKE Phase 1 policy.
Addr Type
Specifies whether the IP address is an IPv4 or IPv6
address.
Local Address
Specifies the local IPv4 or IPv6 address.
Remote Address
Specifies the remote IPv4 or IPv6 address.
Name
Specifies the name of the IKE Phase 1 profile.
DPD Timeout
Specifies the Dead-peer detection timeout in
seconds. The supported value ranges from 1 to
4294967295 seconds.
Hash Algo
Specifies the hash authorization algorithm. The
supported values are MD5, SHA1, and SHA256.
Encrypt Algo
Specifies the crytographic algorithm. The supported
values are DES, 3DES, and AES.
DH Group
Specifies the Diffe-Hellman (DH) group. The
supported values are MOD768, MOD1024, and
MOD2048.
Lifetime seconds
Specifies the lifetime value in seconds. The value
ranges from 0 to 4294967295 seconds.
Status
Specifies the status of the security association.
December 2017
Configuring Security on VOSS
358
IKE configuration for Secure AAA server using CLI
Configuring an IKEv2 profile
About this task
Use the following procedure to configure an IKEv2 profile.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create an IKEv2-profile:
ike v2-profile WORD<1–32>
3. Configure the IKEv2 profile hash algorithm:
ike v2-profile WORD<1–32> hash-algo <md5|sha|sha256|any>
4. Configure the IKEv2 profile encryption algorithm:
ike v2-profile WORD<1–32> encrypt-algo <desCbc|3DesCbc|aesCbc|any>
5. Configure the IKEv2 profile integrity algorithm
ike v2-profile WORD<1–32> integrity-algo <hmac-md5|hmac-sha|hmacsha256|aes-xcbc|any>
6. Configure the IKEv2 profile dh group
ike v2-profile WORD<1–32> dh-group <modp768|modp1024|modp2048|any
7. Configure the IKEv2 profile encryption key length:
ike v2-profile WORD<1–32> encrypt-key-len <128|192|256>
8. Configure the IKEv2 profile lifetime, in seconds:
ike v2-profile WORD<1–32> lifetime-sec <0-4294967295>
9. (Optional) Delete the IKEv2 profile:
no ike v2-profile WORD<1–32>
Variable definition
Use the data in the following table to use the ike v2–profile commands.
Variable
Value
profile WORD<1–32>
Specifies the IKE v2–profile name.
Table continues…
December 2017
Configuring Security on VOSS
359
Secure AAA server communication
Variable
Value
hash-algo <md5|sha|
sha256|any>
Specifies the type of hash algorithm. The default value is sha256. To set this
option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> hash-algo
encrypt-algo <desCbc|
3DesCbc|aesCbc|any>
Specifies the type of encryption algorithm. The default value is aesCbc. To set
this option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> encrypt-algo
integrity-algomd5|sha-1|
sha-256|aes-xcbc
Specifies the type of integrity algorithm. The default is sha256. To set this
option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> integrity-algo
dh-group <modp768|
modp1024|modp2048|
any>
Specifies the Diffie-Hellman (DH) group. DH groups categorize the key used
in the key exchange process, by its strength. The key from a higher group
number is more secure. The default value is modp2048. To set this option to
the default value, use the default operator with the command: default ike
v2–profile WORD<1–32> dh-group
encrypt-key-len <128|192| Specifies the length of the encryption key. The default is 256. To set this
256>
option to the default value, use the default operator with the command:
default ike v2–profile WORD<1–32> encrypt-key-len
lifetime-sec
<0-4294967295>
Specifies the lifetime value in seconds. The lifetime ensures that the peers
renegotiate the SAs just before the expiry of the lifetime value, to ensure that
Security Associations are not compromised. The default value is 86400
seconds. To set this option to the default value, use the default operator with
the command: default ike v2–profile WORD<1–32> lifetime-sec
Displaying IKEv2 profiles
Use the following procedure to display the configured IKEv2 profiles:
Procedure
1. Enter Privileged EXEC mode:
enable
2. Display all IKEv2 profiles:
show ike v2-profile
3. Display a specific IKEv2 profile:
show ike v2-profile WORD<1–32>
Example
Switch:1#show ike v2-profile test
========================================================================================
==
IKE2 Profile
========================================================================================
==
Hash
Encrypt
December 2017
Configuring Security on VOSS
360
IKE configuration for Secure AAA server using CLI
Encrypt
Exchange
Name
Algo
Algo
Key
Length
Mode
----------------------------------------------------------------------------------------test
sha256
aesCbc
256
main
========================================================================================
==
IKE2 Profile
========================================================================================
==
DH
Integrity
Lifetime
Name
Group
Algorithm
seconds
----------------------------------------------------------------------------------------test
modp2048
sha256
180
Variable definitions
Use the data in the following table to use the show ike v-2profile command.
Variable
Value
WORD<1–32>
Specifies the name of the policy.
Job aid
The following table describes the fields in the output for the show ike v2–profile command.
Parameter
Description
Name
Specifies the name of the IKEv2 profile.
Hash Algo
Specifies the hash authorization algorithm. The
supported values are MD5, SHA1, and SHA256.
Encrypt Algo
Specifies the crytographic algorithm. The supported
values are DES, 3DES, and AES.
Encrypt Key Length
Specifies the length of the encryption key. The
supported values are 128, 192, and 256.
DH Group
Specifies the Diffe-Hellman (DH) group. The
supported values are modp768, modp024, and
modp048.
Integrity Algorithm
Specifies IKE SA integrity algorithms supported in
IKEv2.
Exchange Mode
Specifies the IKE mode. The supported mods are
main mode and aggressive mode.
Lifetime seconds
Specifies the lifetime value in seconds. The value
ranges from 0 to 4294967295 seconds.
December 2017
Configuring Security on VOSS
361
Secure AAA server communication
IKE configuration for Secure AAA server
Configuring IKE Phase 1 profile
Use the following procedure to create and configure an IKE Phase 1 profile.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IKE.
3. Click the Profile tab.
4. Click Insert.
5. In the Name field, type a profile name.
6. Complete the remaining optional configuration to customize the policy.
7. Click Insert.
IKE profile field descriptions
Use the data in the following table to use the IKE > Profile tab.
Name
Description
Name
Specifies the name of the profile.
HashAlgorithm
Specifies the hash algorithms that can be used
during IKE Phase 1 SA negotiation.
The default value is sha256.
EncryptionAlgorithm
Specifies the encryption algorithms that can be
used during IKE Phase 1 SA negotiation.
The default value is aesCbc.
EncryptKeyLen
Specifies the key length that should be used during
IKE Phase 1 SA negotiation.
The default value is 128.
DHGroup
Specifies the Diffie-Hellman groups that can be
used during IKE Phase 1 SA negotiation.
The default value is mod1024.
ExchangeMode
Specifies the IKE Phase 1 negotiation mode.
The default value is main.
LifetimeSeconds
December 2017
Specifies the amount of time for which an IKE
Phase 1 SA can remain valid during IKE Phase 1
Table continues…
Configuring Security on VOSS
362
IKE configuration for Secure AAA server
Name
Description
negotiation. A value of 0 means no the SA always
remains valid.
The default value is 86400 seconds.
Configuring IKEv2 profile
Use the following procedure to create and configure an IKEv2 profile.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IKE.
3. Click the V2 Profile tab.
4. Click Insert.
5. In the Name field, type a profile name.
6. Complete the remaining optional configuration to customize the policy.
7. Click Insert.
V2 Profile field descriptions
Use the data in the following table to use the IKE > V2 Profile tab.
Name
Description
Name
Specifies the IKE v2 profile name.
HashAlgorithm
Specifies the type of hash algorithm that can be
used during IKE version 2 SA version 2 negotiation.
The default value is sha256.
EncryptionAlgorithm
Specifies the encryption algorithms that can be
used during IKE version 2 SA version 2 negotiation.
The default value is aesCbc.
EncryptKeyLen
Specifies the type of encryption algorithm. The
default value is keylen–256.
DHGroup
Specifies the Diffie-Hellman (DH) group. DH groups
categorize the key used in the key exchange
process, by its strength. The key from a higher
group number is more secure. The default value is
modp2048.
ExchangeMode
Specifies the IKE v2 profile negotiation mode.
Table continues…
December 2017
Configuring Security on VOSS
363
Secure AAA server communication
Name
Description
The default value is main.
LifetimeSeconds
Specifies the lifetime value in seconds. The lifetime
ensures that the peers renegotiate the SAs just
before the expiry of the lifetime value, to ensure that
Security Associations are not compromised. The
default value is 86400 seconds.
IntegrityAlgorithm
Specifies the type of integrity algorithm.
Configuring IKE Phase 1 policy
Use the following procedure to create and configure an IKE Phase 1 policy.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IKE.
3. Click the Policy tab.
4. Click Insert.
5. In the LocalIfIndex field, click either Port or Vlan, and then select an interface.
6. In the LocalAddrType field, select the type of the local address.
7. In the LocalAddr field, type the address of the local peer.
8. In the RemoteAddrType field, select the type of the remote address.
9. In the RemoteAddr field, type the address of the remote peer.
10. In the Name field, type the name for the policy.
Name must be assigned when creating the policy. Once the policy is created, the name
cannot be changed.
11. Complete the remaining optional configuration to customize the policy.
12. Click Insert.
Policy field descriptions
Use the data in the following table to use the Policy tab.
Name
Description
LocalIfIndex
Specifies the Interface Index of the local address.
Only port and vlan interfaces are supported.
Table continues…
December 2017
Configuring Security on VOSS
364
IKE configuration for Secure AAA server
Name
Description
LocalAddrType
Specifies whether the local address is an IPv4 or
IPv6 address.
LocalAddr
Specifies the address of the local peer.
RemoteAddrType
Specifies whether the remote address is an IPv4 or
IPv6 address.
RemoteAddr
Specifies the address of the remote peer.
Name
Specifies the name given to the policy. The name
should be assigned while creating the policy. You
cannot change the name after the policy is created.
ProfileName
Specifies the name of the profile that should be
used for this policy.
ProfileVersion
Specifies the profile version used for the policy.
PeerName
Specifies the peer name.
AuthenticationMethod
Specifies the proposed authentication method for
the Phase 1 security association.
The default authentication method is pre-shared
key.
PSKValue
Specifies the value of the Pre-Shared Key if the
authentication method is set to PSK.
DPDTimeout
Specifies the Dead Peer Detection timeout in
seconds.
Default value is 300 seconds.
P2PFS
Specifies whether or not the perfect forward secrecy
(PFS) is used when refreshing keys. To use PFS,
select enable.
The default value is disable.
P2PfsUseIkeGroup
Specifies whether or not to use the same GroupId
(Diffie-Hellman Group) for phase 2 as was used in
phase 1. Ignore this entry if P2PFS is disabled.
The default value is enable.
P2PfsDHGroup
Specifies the Diffie-Hellman group to use for phase
2 when P2PFS is enabled and P2PfsUseIkeGroup
is disabled.
The default value is mod1024.
AdminState
Specifies whether the policy is administratively
enabled or disabled.
The default value is disable.
OperStatus
Shows is the policy is operationally up or down.
RevocationCheckMethod
Specifies the revocation check method as OCSP,
CRL or none.
December 2017
Configuring Security on VOSS
365
Secure AAA server communication
Displaying IKE Phase 1 security association
Use the following procedure to view the IKE Phase 1 security association.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IKE.
3. Click the SA tab.
IKE SA field descriptions
Use the data in the following table to use the IKE > SA tab.
Name
Description
Id
Specifies the profile ID.
LocalIfIndex
Specifies the Interface Index of the local address.
Only port and vlan interfaces are supported.
LocalAddrType
Specifies whether the local address is an IPv4 or
IPv6 address.
LocalAddr
Specifies the address of the local peer.
RemoteAddrType
Specifies whether the remote address is an IPv4 or
IPv6 address.
RemoteAddr
Specifies the address of the remote peer.
Name
Specifies the name given to the SA.
AuthenticationMethod
Specifies the proposed authentication method for
the Phase 1 security association.
The default authentication method is pre-shared
key.
DPDTimeout
Specifies the Dead Peer Detection timeout in
seconds.
HashAlgorithm
Specifies the hash algorithm negotiated for this IKE
Phase 1 SA.
EncryptionAlgorithm
Specifies the encryption algorithm negotiated for
this IKE Phase 1 SA.
EncryptKeyLen
Specifies the encryption key length negotiated for
this IKE Phase 1 SA.
DHGroup
Specifies the Diffie-Hellman group negotiated for
this IKE Phase 1 SA.
ExchangeMode
Specifies the IKE Phase 1 SA mode.
Table continues…
December 2017
Configuring Security on VOSS
366
IKE configuration for Secure AAA server
Name
Description
LifetimeSeconds
Specifies the amount of time for which an IKE
Phase 1 SA can remain valid during IKE Phase 1
negotiation. A value of 0 means no the SA always
remains valid.
Status
Specifies whether the SA is active or inactive.
Initiator
Specifies whether specifies the whether the SA is
created by an initiator or a responder.
Displaying IKE V2 security association
Use the following procedure to view the IKE version 2 security association.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click IKE.
3. Click the V2 SA tab.
V2 SA field descriptions
Use the data in the following table to use the IKE > V2 SA tab.
Name
Description
Id
Specifies the profile ID.
LocalIfIndex
Specifies the Interface Index of the local address.
Only port and vlan interfaces are supported.
LocalAddrType
Specifies whether the local address is an IPv4 or
IPv6 address.
LocalAddr
Specifies the address of the local peer.
RemoteAddrType
Specifies whether the remote address is an IPv4 or
IPv6 address.
RemoteAddr
Specifies the address of the remote peer.
Name
Specifies the name given to the SA.
AuthenticationMethod
Specifies the proposed authentication method for
theVersion 2 security association.
The default authentication method is pre-shared
key.
DPDTimeout
Specifies the Dead Peer Detection timeout in
seconds.
Table continues…
December 2017
Configuring Security on VOSS
367
Secure AAA server communication
Name
Description
HashAlgorithm
Specifies the hash algorithm negotiated for this IKE
Version 2 SA.
EncryptionAlgorithm
Specifies the encryption algorithm negotiated for
this IKE Version 2 SA.
EncryptKeyLen
Specifies the encryption key length negotiated for
this IKE Version 2 SA.
DHGroup
Specifies the Diffie-Hellman group negotiated for
this IKE Version 2 SA.
ExchangeMode
Specifies the IKE Version 2 SA mode.
LifetimeSeconds
Specifies the amount of time for which an IKE
Version 2 SA can remain valid during IKE Version 2
negotiation. A value of 0 means no the SA always
remains valid.
Status
Specifies whether the SA is active or inactive.
Initiator
Specifies whether specifies the whether the SA is
created by an initiator or a responder.
IntegrityAlgorithm
Specifies the type of integrity algorithm.
December 2017
Configuring Security on VOSS
368
Chapter 10: Simple Network Management
Protocol (SNMP)
You can use the Simple Network Management Protocol (SNMP) to remotely collect management
data and configure devices.
An SNMP agent is a software process that monitors the UDP port 161 for SNMP messages. Each
SNMP message sent to the agent contains a list of management objects to retrieve or modify.
SNMPv3
The SNMP version 3 (v3) is the third version of the Internet Standard Management Framework
and is derived from and builds upon both the original Internet Standard Management Framework
SNMP version 1 (v1) and the second Internet Standard Management Framework SNMP version 2
(v2).
The SNMPv3 is not a stand-alone replacement for SNMPv1 or SNMPv2. The SNMPv3 defines
security capabilities you must use in conjunction with SNMPv2 (preferred) or SNMPv1. The
following figure shows how SNMPv3 specifies a user-based security model (USM) that uses a
payload of either an SNMPv1 or an SNMPv2 Protocol Data Unit (PDU).
Figure 26: SNMPv3 USM
December 2017
Configuring Security on VOSS
369
Simple Network Management Protocol (SNMP)
SNMPv3 is an SNMP framework that supplements SNMPv2 by supporting the following:
• New SNMP message formats
• Security for messages
• Access control
• Remote configuration of SNMP parameters
The recipient of a message can use authentication within the USM to verify the message sender
and to detect if the message is altered. According to RFC2574, if you use authentication, the USM
checks the entire message for integrity.
An SNMP entity is an implementation of this architecture. Each SNMP entity consists of an SNMP
engine and one or more associated applications.
SNMP engine
An SNMP engine provides services for sending and receiving messages, authenticating and
encrypting messages, and controlling access to managed objects. A one-to-one association exists
between an SNMP engine and the SNMP entity, which contains the SNMP engine.
EngineID
Within an administrative domain, an EngineID is the unique identifier of an SNMP engine.
Because there is a one-to-one association between SNMP engines and SNMP entities, the ID
also uniquely and unambiguously identifies the SNMP entity within that administrative domain.
The system generates an EngineID during the startup process. The SNMP engine contains a:
• Dispatcher on page 370.
• Message processing subsystem on page 370.
• Security subsystem on page 370.
• Access control subsystem on page 371.
Dispatcher
The dispatcher is part of an SNMP engine. You can use the dispatcher for concurrent support of
multiple versions of SNMP messages in the SNMP engine through the following ways:
• To send and receive SNMP messages to and from the network.
• To determine the SNMP message version and interact with the corresponding message
processing model.
• To provide an abstract interface to SNMP applications for delivery of a PDU to an application.
• To provide an abstract interface for SNMP applications to send a PDU to a remote SNMP
entity.
Message processing subsystem
The message processing subsystem prepares messages for sending and extracts data from
received messages. The subsystem can contain multiple message processing models.
Security subsystem
The security subsystem provides the following features:
• Authentication
December 2017
Configuring Security on VOSS
370
SNMPv3
• Privacy
• Security
Authentication
You can use authentication within the SNMPv3 to verify the message sender and whether the
message is altered. If you use authentication, the integrity of the message is verified. The
supported SNMPv3 authentication protocols are HMAC-MD5 and HMAC-SHA-96. By default, the
switch uses HMAC-SHA1-96 with 160-bit key length.
Privacy
SNMPv3 is an encryption protocol for privacy. Only the data portion of a message is encrypted;
the header and the security parameters are not. The privacy protocol that SNMPv3 supports is
CBC-DES Symmetric Encryption Protocol and Advanced Encryption Standard (AES).
Security
The SNMPv3 security protects against:
• Modification of information—protects against altering information in transit.
• Masquerade—protects against an unauthorized entity assuming the identity of an authorized
entity.
• Message stream modification—protects against delaying or replaying messages.
• Disclosure—protects against eavesdropping.
The SNMPv3 security also offers:
• Discovery procedure—finds the EngineID of an SNMP entity for a given transport address or
transport endpoint address.
• Time synchronization procedure—facilitates authenticated communication between entities
The SNMPv3 does not protect against the following:
• Denial-of-service—prevention of exchanges between manager and agent.
• Traffic analysis—general pattern of traffic between managers and agents.
Access control subsystem
SNMPv3 provides a group option for access policies.
The access policy feature in the switch determines the access level for the users connecting to the
device with different services like File Transfer Protocol (FTP), Trivial FTP (TFTP), Telnet, and
rlogin. The system access policy feature is based on the user access levels and network address.
This feature covers services, such as TFTP, HTTP, SSH, rlogin, and SNMP. However, with the
SNMPv3 engine, the community names do not map to an access level. The View-based Access
Control Model (VACM) determines the access privileges.
Use the configuration feature to specify groups for the SNMP access policy. You can use the
access policy services to cover SNMP. Because the access restriction is based on groups defined
through the VACM, the synchronization is made using the SNMPv3 VACM configuration. The
administrator uses this feature to create SNMP users (USM community) and associate them to
groups. You can configure the access policy for each group and network.
The following are feature specifications for the group options:
• After you enable SNMP service, this policy covers all users associated with the groups
configured under the access policy. The access privileges are based on access allow or deny. If
December 2017
Configuring Security on VOSS
371
Simple Network Management Protocol (SNMP)
you select allow, the VACM configuration determines the management information base (MIB)views for access.
• The SNMP service is disabled by default for all access policies.
• The access level configured under access-policy policy <id> does not affect SNMP
service. The VACM configuration determines the SNMP access rights.
User-based security model
In a USM system, the security model uses a defined set of user identities for any authorized user
on a particular SNMP engine. A user with authority on one SNMP engine must also have
authorization on all SNMP engines with which the original SNMP engine communicates.
The USM provides the following levels of communication:
• NoAuthNoPriv—communication without authentication and privacy.
• AuthNoPriv—communication with authentication and without privacy.
• AuthPriv—communication with authentication and privacy.
The following figure shows the relationship between USM and VACM.
Figure 27: USM association with VACM
View-based Access Control
View-based Access Control Model (VACM) provides group access, group security levels, and
context based on a predefined subset of MIB objects. These MIB objects define a set of managed
objects and instances.
VACM is the standard access control mechanism for SNMPv3, and it provides:
• Authorization service to control access to MIB objects at the PDU level.
December 2017
Configuring Security on VOSS
372
SNMPv3
• Alternative access control subsystems.
The access is based on principal, security level, MIB context, object instance, and type of access
requested (read or write). You can use the VACM MIB to define the policy and control remote
management.
SNMPv3 encryption
A user-based security port for SNMPv3 is defined as a security subsystem within an SNMP
engine. The switch USM uses HMAC-MD5-96 and HMAC-SHA-96 as the authentication protocols,
and CBC-DES as the privacy protocol. Use USM to use other protocols instead of, or concurrently
with, these protocols. CFB128-AES-128, an AES-based Symmetric Encryption Protocol, is an
alternative privacy protocol for the USM.
The AES standard is the current encryption standard, Federal Information Processing Standard
140-2 (FIPS 140-2), intended to be used by the U.S. Government organizations to protect
sensitive information. The AES standard is also becoming a global standard for commercial
software and hardware that uses encryption or other security features.
The AES-based symmetric encryption protocol
This symmetric encryption protocol provides support for data confidentiality. The system encrypts
the designated portion of the SNMP message and includes it as part of the transmitted message.
The USM specifies that the scoped PDU is the portion of the message that requires encryption. An
SNMP engine that can legitimately originate messages on behalf of the appropriate user shares a
secret value, in combination with a timeliness value and a 64-bit integer, used to create the
(localized) encryption/decryption key and the initialization vector.
The AES encryption key and Initialization Vector
The AES encryption key uses the first 128 bits of the localized key. The 128-bit Initialization Vector
(IV) is the combination of the authoritative SNMP engine 32-bit snmpEngineBoot, the SNMP
engine 32-bit snmpEngineTime, and a local 64-bit integer. The system initializes the 64-bit integer
to a pseudo-random value at startup time.
Data encryption
The switch handles data encryption in the following manner:
1. The system treats data as a sequence of octets.
2. The system divides the plaintext into 128-bit blocks.
The first input block is the IV, and the forward cipher operation is applied to the IV to
produce the first output block.
3. The system produces the first cipher text block by executing an exclusive-OR function on
the first plaintext block with the first output block.
4. The system uses the cipher text block as the input block for the subsequent forward cipher
operation.
5. The system repeats the forward cipher operation with the successive input blocks until it
produces a cipher text segment from every plaintext segment.
6. The system produces the last cipher text block by executing an exclusive-OR function on
the last plaintext segment of r bits (r is less than or equal to 128) with the segment of the r
most significant bits of the last output block.
December 2017
Configuring Security on VOSS
373
Simple Network Management Protocol (SNMP)
Data decryption
The switch handles data decryption in the following manner:
1. In CFB decryption, the IV is the first input block, the system uses the first cipher text for the
second input block, the second cipher text for the third input block, and this continues until
the system runs out of blocks to decrypt.
2. The system applies the forward cipher function to each input block to produce the output
blocks.
3. The system passes the output blocks through an exclusive-OR function with the
corresponding cipher text blocks to recover the plaintext blocks.
4. The system sends the last cipher text block (whose size r is less than or equal to 128)
through an exclusive-OR function with the segment of the r most significant bits of the last
output block to recover the last plaintext block of r bits.
Trap notifications
You configure traps by creating SNMPv3 trap notifications, creating a target address to which you
want to send the notifications, and specifying target parameters. For more information about how
to configure trap notifications, see Troubleshooting.
SNMP community strings
For security reasons for SNMPv1 and SNMPv2, the SNMP agent validates each request from an
SNMP manager before responding to the request by verifying that the manager belongs to a valid
SNMP community. An SNMP community is a logical relationship between an SNMP agent and
one or more SNMP managers (the manager software implements the protocols used to exchange
data with SNMP agents). You define communities locally at the agent level.
The agent establishes one community for each combination of authentication and access control
characteristics that you choose. You assign each community a unique name (community string),
and all members of a community have the same access privileges, either read-only or read-write:
• Read-only: members can view configuration and performance information.
• Read-write: members can view configuration and performance information, and change the
configuration.
By defining a community, an agent limits access to its MIB to a selected set of management
stations. By using more than one community, the agent can provide different levels of MIB access
to different management stations.
SNMP community strings are used when a user logs on to the device over SNMP, for example,
using an SNMP-based management software. You set the SNMP community strings using CLI . If
you have read/write/all access authority, you can modify the SNMP community strings for access
to the device through Enterprise Device Manager (EDM).
You are provided with community strings for SNMPv1 and SNMPv2. If you want to use SNMPv3
only, you must disable SNMPv1 and SNMPv2 access by deleting the default community string
entries and create the SNMPv3 user and group.SNMPv3 on page 369.
December 2017
Configuring Security on VOSS
374
SNMP community strings
Note:
If you enable enhanced secure mode, the switch does not support the default SNMPv1 and
default SNMPv2 community strings, and default SNMPv3 user name. The individual in the
administrator access level role can configure a non-default value for the community strings,
and the switch can continue to support SNMPv1 and SNMPv2. The individual in the
administrator access level role can also configure a non-default value for the SNMPv3 user
name and the switch can continue to support SNMPv3.
If you disable enhanced secure mode, the SNMPv1 and SNMPv2 support for community
strings remains the same, and the default SNMPv3 user name remains the same. Enhanced
secure mode is disabled by default.
For more information on enhanced secure mode, see Administering.
The following table lists the default community strings for SNMPv1 and SNMPv2.
VRF
Default community string
Access
GlobalRouter VRF
public
Read access
private
Write access
public:512
Read access
private:512
Write access
ManagementRouter VRF
Community strings are encrypted using the AES encryption algorithm. Community strings do not
appear on the device and are not stored in the configuration file.
Caution:
Security risk
For security reasons, it is recommended that you set the community strings to values other
than the factory defaults.
The switch handles community string encryption in the following manner:
• When the device starts up, community strings are restored from the hidden file.
• When the SNMP community strings are modified, the modifications are updated to the hidden
file.
• Stale snmp-server community entries for different VRFs appear after reboot with no VRFs .
On an node with any valid config file saved with more than the default vrf0 ,
snmp_community entries for that VRF are created and maintained in a separate txt file,
snmp_comm.txt, on every boot. The node reads this file and updates the snmp communities
available on the node. As a result for a boot with config having no VRFs, you may still see
snmp_community entries for VRFs other than the globalRouter vrf0.
Hsecure with SNMP
If you enable hsecure, the system disables SNMPv1, SNMPv2 and SNMPv3. If you want to use
SNMP, you must use the command no boot config flag block-snmp to re-enable SNMP.
December 2017
Configuring Security on VOSS
375
Simple Network Management Protocol (SNMP)
SNMPv3 support for VRF
Use Virtual Router Forwarding (VRF) to offer networking capabilities and traffic isolation to
customers that operate over the same node (switch). Each virtual router emulates the behavior of
a dedicated hardware router and is treated by the network as a separate physical router. You can
use VRF Lite to perform the functions of many routers using a single router running VRF Lite. This
substantially reduces the cost associated with providing routing and traffic isolation for multiple
clients.
SNMP configuration using CLI
Configure the SNMP engine to provide services to send and receive messages, authenticate and
encrypt messages, and control access to managed objects. A one-to-one association exists
between an SNMP engine and the SNMP entity.
• To perform the procedures in this section, you must log on to the Global Configuration mode
in CLI. For more information about how to use CLI, see Using CLI and EDM.
This task flow shows you the sequence of procedures you perform to configure basic elements of
SNMP when using CLI.
December 2017
Configuring Security on VOSS
376
SNMP configuration using CLI
Figure 28: SNMP configuration procedures
Configuring SNMP settings
Configure Simple Network Management Protocol (SNMP) to define or modify the SNMP settings,
and specify how secure you want SNMP communications.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
December 2017
Configuring Security on VOSS
377
Simple Network Management Protocol (SNMP)
2. Enable the generation of authentication traps:
snmp-server authentication-trap enable
3. Configure the contact information for the system:
snmp-server contact WORD<0-255>
4. Configure the SNMP and IP sender flag to the same value:
snmp-server force-iphdr-sender enable
5. Send the configured source address (sender IP) as the sender network in the notification
message:
snmp-server force-trap-sender enable
6. Create an SNMPv1 server host:
snmp-server host WORD<1-256> [port <1-65535>] v1 WORD<1-32> [filter
WORD<1-32>]
7. Create an SNMPv2 server host:
snmp-server host WORD<1-256> [port <1-65535>] v2c WORD<1-32>
[inform [timeout <1-2147483647>][retries <0-255>][mms
<0-2147483647>]] [filter WORD<1-32>]
8. Create an SNMPv3 server host:
snmp-server host WORD<1-256> [port <1-65535>] v3 {noAuthNoPriv|
authNoPriv|authPriv WORD<1-32> [inform [timeout <1-2147483647>]
[retries <0-255>]] [filter WORD<1-32>]
9. Configure the system location:
snmp-server location WORD<0-255>
10. Configure the system name:
snmp-server name WORD<0-255>
11. Create a new entry in the notify filter table:
snmp-server notify-filter WORD<1-32> WORD<1-32>
12. Configure the SNMP trap receiver and source IP addresses:
snmp-server sender-ip {A.B.C.D} {A.B.C.D}
Example
Enable the generation of SNMP traps. Configure the contact information for the system. Configure
the SNMP and IP sender flag to the same value. Configure hosts to receive SNMP notifications:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#snmp-server
Switch:1(config)#snmp-server
Switch:1(config)#snmp-server
Switch:1(config)#snmp-server
December 2017
authentication-trap enable
contact xxxx@company.com
force-iphdr-sender enable
host 192.0.2.16 port 1 v1 SNMPv1 filter SNMPfilterv1
Configuring Security on VOSS
378
SNMP configuration using CLI
Variable definitions
Use the data in the following table to use the snmp-server command.
Table 10: Variable definitions
Variable
Value
bootstrap {min-secure|semi-secure|
very-secure}
Creates an initial set of configuration data for SNMPv3. This
configuration data follows the conventions described in the SNMPv3
standard (see standard, RFC3515). This command creates a set of
initial users, groups, and views.
• min-secure—a minimum security configuration that gives read
access and notify access to all processes (MIB view restricted)
with noAuth-noPriv and read, write, and notify access to all
processes (MIB view internet) using Auth-Priv.
In this configuration, restricted MIB view matches internet MIB
view.
• semi-secure—a security configuration that gives read access and
notify access to all processes (MIB view restricted) with noAuthnoPriv and read, write, and notify access to all processes (MIB
view Internet) using Auth-Priv.
In this configuration, restricted MIB view contains a smaller subset
of views than Internet MIB view. For more information, see
RFC3515 for details.
• very-secure—a maximum security configuration that allows no
access to the users.
With this command all existing SNMP configurations in the SNMPv3
MIB tables are removed and replaced with entries as described in
the RFC.
contact WORD<0-255>
Changes the sysContact information for the switch. WORD<0-255>
is an ASCII string from 0–255 characters (for example a phone
extension or e-mail address).
host WORD<1-256> [port
<1-65535>] {v1 WORD<1-32>|v2c
WORD<1-32> [inform [timeout
<1-2147483647>][retries <0-255>]
[mms <0-2147483647>]]|v3
{noAuthPriv|authNoPriv|authPriv}
WORD<1-32> [inform [timeout
<1-2147483647>][retries <0-255>]]}
[filter WORD<1-32>]
Configures hosts to receive SNMP notifications.
• host WORD<1-256> specifies the IPv4 or IPv6 host address
• port <1-65535> specifies the port number
• v1 WORD<1-32> specifies the SNMP v1 security name
• v2c WORD<1-32> specifies the SNMPv2 security name
• inform specifies the notify type
• timeout <1-2147483647> specifies the timeout value
• retries <0-255> specifies the number of retries
• mms <1-2147483647> specifies the maximum message size
• v3 specifies SNMPv3
Table continues…
December 2017
Configuring Security on VOSS
379
Simple Network Management Protocol (SNMP)
Variable
Value
• noAuthPriv|authNoPriv|authPriv specifies the security level
• WORD<1-32> specifies the user name
• filter specifies a filter profile name
location WORD<0-255>
Configures the sysLocation information for the system. <WORD
0-255> is an ASCII string from 0–255 characters.
name WORD<0-255>
Configures the sysName information for the system. <WORD
0-255> is an ASCII string from 0–255 characters.
notify-filter WORD<1-32>
WORD<1-32>
Creates a new entry in the notify filter table. The first WORD<1-32>
specifies the filter profile name, and the second WORD<1-32>
specifies the subtree OID.
sender-ip {A.B.C.D} {A.B.C.D}
The first {A.B.C.D} configures the SNMP trap receiver and source IP
addresses. Specify the IP address of the destination SNMP server
receives the SNMP trap notification in the first IP address.
The second {A.B.C.D} specifies the source IP address of the SNMP
trap notification packet that is transmitted in the second IP address.
If you set this to 0.0.0.0, the system uses the IP address of the local
interface that is closest (from an IP routing table perspective) to the
destination SNMP server.
Creating a user
Create a new user in the USM table to authorize a user on a particular SNMP engine
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a user on a remote system:
snmp-server user engine-id WORD<16—97>WORD<1-32>[{md5|sha}
WORD<1-32>] [{aes|des} WORD<1-32>]
3. Create a user on the local system:
snmp-server user WORD<1-32> [notify-view WORD<0-32>][read-view
WORD<0-32>] [write-view WORD<0-32>] [{md5|sha} WORD<1-32>] [{aes|
des} WORD<1-32>
4. Add the user to a group:
snmp-server user WORD<1-32> group WORD<1-32> [{md5|sha} WORD<1-32>]
[{aes|des} WORD<1-32>]
December 2017
Configuring Security on VOSS
380
SNMP configuration using CLI
Example
Create a user named test1 on a remote system with MD5:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#snmp-server user test1 md5 auth-password aes test write-view test1
Variable definitions
Use the data in the following table to use the snmp-server user command.
Table 11: Variable definitions
Variable
Value
{aes|des} WORD<1-32>
Specifies a privacy protocol. If no value is entered, no
authentication capability exists. The choices are aes or des.
WORD<1-32> assigns a privacy password. If no value is
entered, no privacy capability exists. The range is 1 to 32
characters.
Important:
You must set authentication before you can set the
privacy option.
engine-id WORD<16-97>
Assigns an SNMPv3 engine ID. Use the no operator to remove
this configuration.
group WORD<1-32>
Specifies the group access name.
{md5|sha} WORD<1-32>
Specifies an authentication protocol. If no value is entered, no
authentication capability exists. The protocol choices are: MD5
and SHA. WORD<1-32> specifies an authentication password.
If no value is entered, no authentication capability exists. The
range is 1–32 characters.
notify-view WORD<0-32>
Specifies the view name in the range of 0 to 32 characters.
The first instance is a noAuth view. The second instance is an
auth view and the last instance is an authPriv view.
read-view WORD<0-32>
Specifies the view name in the range of 0 to 32 characters.
The first instance is a noAuth view. The second instance is an
auth view and the last instance is an authPriv view.
write-view WORD<0-32>
Specifies the view name in the range of 0 to 32 characters.
The first instance is a noAuth view. The second instance is an
auth view and the last instance is an authPriv view.
user WORD<1-32>
Creates the new entry with this security name. The name is
used as an index to the table. The range is 1–32 characters.
Use the no operator to remove this configuration.
December 2017
Configuring Security on VOSS
381
Simple Network Management Protocol (SNMP)
Creating a new user group
Create a new user group to logically group users who require the same level of access. Create
new access for a group in the View-based Access Control Model (VACM) table to provide access
to managed objects.
Note:
There are several default groups (public and private) created that you can use. To see the list
of default groups and their associated security names (secnames), enter show snmpserver group. If you use one of these groups, there is no need to create a new group.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a new user group:
snmp-server group WORD <1-32> WORD<1-32> {auth-no-priv|auth-priv|
no-auth-no-priv} [notify-view WORD<1-32>] [read-view WORD<1-32>]
[write-view WORD<1-32>]
Example
This example uses the following variable names:
• The new group name is lan6grp.
• The context of the group is "", which represents the Global Router (VRF 0).
• The security level is no-auth-no-priv.
• The access view name is v1v2only for all three views: notify-view, read-view, and
write-view.
Switch:1>enable
Switch:1#configure terminal
Create a new user group:
Switch:1(config)#snmp-server group lan6grp "" no-auth-no-priv notifyview v1v2only read-view v1v2only write-view v1v2only
Variable definitions
Use the data in the following table use the snmp-server group command.
December 2017
Configuring Security on VOSS
382
SNMP configuration using CLI
Table 12: Variable definitions
Variable
Value
auth-no-priv
Assigns the minimum level of security required to gain the access
rights allowed by this conceptual row. If the auth-no-priv parameter
is included, it creates one entry for SNMPv3 access.
auth-priv
Assigns the minimum level of security required to gain the access
rights allowed by this conceptual row. If the auth-priv parameter is
included, it creates one entry for SNMPv3 access.
group WORD<1-32> WORD<1-32> The first WORD<1–32> specifies the group name for data access.
The range is 1–32 characters. Use the no operator to remove this
configuration.
The second WORD<1–32> specifies the context name. The range
is 1–32 characters. If you use a particular group name value but
with different context names, you create multiple entries for different
contexts for the same group. You can omit the context name and
use the default. If the context name value ends in the wildcard
character (*), the resulting entries match a context name that begins
with that context. For example, a context name value of foo*
matches contexts starting with foo, such as foo6 and foofofum. Use
the no operator to remove this configuration.
no-auth-no-priv
Assigns the minimum level of security required to gain the access
rights allowed by this conceptual row. If the no-auth-no-priv
parameter is included, it creates 3 entries, one for SNMPv1 access,
one for SNMPv2c access, and one for SNMPv3 access.
notify-view WORD<1-32>
Specifies the view name in the range of 0–32 characters.
read-view WORD<1-32>
Specifies the view name in the range of 0–32 characters.
write-view WORD<1-32>
Specifies the view name in the range of 0–32 characters.
Creating a new entry for the MIB in the view table
Create a new entry in the MIB view table. The default Layer 2 MIB view cannot modify SNMP
settings. However, a new MIB view created with Layer 2 permission can modify SNMP settings.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a new entry:
snmp-server view WORD<1-32> WORD<1-32>
Example
Switch:1>enable
December 2017
Configuring Security on VOSS
383
Simple Network Management Protocol (SNMP)
Switch:1#configure terminal
Create MIB views:
Switch:1(config)snmp-server view 2 1.3.8.7.1.4
Variable definitions
Use the data in the following table to use the snmp-server view command.
Table 13: Variable definitions
Variable
Value
The first WORD<1-32>
Specifies the prefix that defines the set of MIB objects
accessible by this SNMP entity. The range is 1–32 characters.
The second WORD<1-32>
Specifies a new entry with this group name. The range is 1–32
characters.
Creating a community
Create a community to use in forming a relationship between an SNMP agent and one or more
SNMP managers. You require SNMP community strings to access the system using an SNMPbased management software.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a community:
snmp-server community WORD<1-32> [group WORD<1-32>] [index
WORD<1-32>] [secname WORD<1-32>]
Important:
• The group parameter is only required if you created a new user group using the
procedure in Creating a new user group on page 382. If you use any of the default
groups, the secname automatically links the community to its associated group so
there is no need specify the group in this command.
• If you do create a new group, use the snmp-server community command to
create an SNMP community with a new security name and link it to the new group
you created. There is no separate command to create a security name (secname).
You use the snmp-server community command. The security name is the key to
link the community name to a group.
• You cannot use the @ character or the string :: when you create community strings.
December 2017
Configuring Security on VOSS
384
SNMP configuration using CLI
Example
In the following example, the community name is anewcommunity, the index is third, and the
secname is readview. There is no group specified because this is a default public/read only group.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#snmp-server community anewcommunity index third secname
readview
Variable definitions
Use the data in the following table to use the snmp-server community command.
Table 14: Variable definitions
Variable
Value
community
WORD<1-32>
Specifies a community string. The range is 1–32 characters.
group
WORD<1-32>
Specifies the group name. The range is 1–32 characters.
index
WORD<1-32>
Specifies the unique index value of a row in this table. The range is 1–32 characters.
secname
WORD<1-32>
Maps the community string to the security name in the VACM Group Member Table.
The range is 1-32 characters.
Adding a user to a group
Add a user to a group to logically group users who require the same level of access.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Create a new user group:
snmp-server user WORD<1-32> group WORD<1-32> [{md5 WORD<1-32>|sha
WORD<1-32>) [{aes WORD<1-32>|des WORD<1-32>}]]
Example
Switch:1>enable
Switch:1#configure terminal
Add a user to a group to logically group users who require the same level of access:
December 2017
Configuring Security on VOSS
385
Simple Network Management Protocol (SNMP)
Switch:1(config)#snmp-server user test1 group Grouptest1 md5 winter aes
summer
Variable definitions
Use the data in the following table to use the snmp-server user command.
Table 15: Variable definitions
Variable
Value
{aes|des} WORD<1-32>
Specifies a privacy protocol. If no value is entered, no
authentication capability exists. The choices are aes or des.
WORD<1-32> assigns a privacy password. If no value is
entered, no privacy capability exists. The range is 1 to 32
characters.
Important:
You must set authentication before you can set the
privacy option.
engine-id WORD<16-97>
Assigns an SNMPv3 engine ID. Use the no operator to remove
this configuration.
group WORD<1-32>
Specifies the group access name.
{md5|sha} WORD<1-32>
Specifies an authentication protocol. If no value is entered, no
authentication capability exists. The protocol choices are: MD5
and SHA. WORD<1-32> specifies an authentication password.
If no value is entered, no authentication capability exists. The
range is 1–32 characters.
notify-view WORD<0-32>
Specifies the view name in the range of 0 to 32 characters.
The first instance is a noAuth view. The second instance is an
auth view and the last instance is an authPriv view.
read-view WORD<0-32>
Specifies the view name in the range of 0 to 32 characters.
The first instance is a noAuth view. The second instance is an
auth view and the last instance is an authPriv view.
write-view WORD<0-32>
Specifies the view name in the range of 0 to 32 characters.
The first instance is a noAuth view. The second instance is an
auth view and the last instance is an authPriv view.
user WORD<1-32>
Creates the new entry with this security name. The name is
used as an index to the table. The range is 1–32 characters.
Use the no operator to remove this configuration.
Blocking SNMP
Disable SNMP by using the SNMP block flag. By default, SNMP access is enabled.
Procedure
1. Enter Global Configuration mode:
December 2017
Configuring Security on VOSS
386
SNMP configuration using CLI
enable
configure terminal
2. Disable SNMP:
boot config flags block-snmp
Example
Switch:1>enable
Switch:1#configure terminal
Disable SNMP:
Switch:1(config)#boot config flags block-snmp
Variable definitions
Use the data in the following table to use the boot config flags command.
Table 16: Variable definitions
Variable
Value
block-snmp
Configures the block SNMP flag as active. Use the no operator to remove
this configuration. The default is off. To set this option to the default value,
use the default operator with the command.
Displaying SNMP system information
Display SNMP system information to view trap and authentication profiles.
For a comprehensive set of SNMP-related show commands, see CLI Commands Reference.
Procedure
1. Log on to the switch to enter User EXEC mode.
2. Display SNMP system information:
show snmp-server
Example
Switch:1>show snmp-server
trap-sender :
force-trap-sender :
force-iphdr-sender :
contact:
location :
name :
AuthenticationTrap :
LoginSuccessTrap :
December 2017
FALSE
FALSE
none
none
Switch:1
false
false
Configuring Security on VOSS
387
Simple Network Management Protocol (SNMP)
SNMP configuration using Enterprise Device Manager
Configure SNMP to provide services to send and receive messages, authenticate and encrypt
messages, and control access to managed objects with Enterprise Device Manager (EDM).
The following task flow shows you the sequence of procedures you perform to configure basic
elements of SNMP using EDM.
Figure 29: SNMP configuration using Enterprise Device Manager procedures
December 2017
Configuring Security on VOSS
388
SNMP configuration using Enterprise Device Manager
Creating a user
About this task
Create a new user in the USM table to authorize a user on a particular SNMP engine.
Note:
In EDM, to create new SNMPv3 users you must use the CloneFromUser option. However,
you cannot clone the default user, named initial. As a result, you must first use CLI to
configure at least one user, and then you can use EDM to create subsequent users with the
CloneFromUser option.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click USM Table.
3. Click Insert.
4. In the EngineID box, use the default Engine ID provided or type an administratively-unique
identifier to an SNMP engine.
5. In the User Name box, type a name.
6. From the CloneFromUser list, select a security name from which the new entry copies
authentication data and private data, if required.
7. From the Auth Protocol list, select an authentication protocol.
8. In the Cloned User's Auth Password box, type the authentication password of the cloned
user.
9. In the New User's Auth Password box, type an authentication password for the new user.
10. From the Priv Protocol list, select a privacy protocol.
11. In the Cloned User's Priv Password box, type the privacy password of the cloned user.
12. In the New User's Priv Password box, type a privacy password for the new user.
13. Click Insert.
Caution:
Security risk
To ensure security, change the GroupAccess table default view after you set up a new
user in the USM table. This prevents unauthorized people from accessing the system
using the default user logon. Also, change the Community table defaults, because the
community name is used as a community string in SNMPv1/v2 PDU.
USM Table field descriptions
Use the data in the following table to use the USM Table tab and the Insert USM Table dialog
box. Some fields appear only on the Insert USM Table dialog box.
December 2017
Configuring Security on VOSS
389
Simple Network Management Protocol (SNMP)
Name
Description
EngineID
Specifies an administratively-unique identifier to an SNMP engine.
UserName
Creates the new entry with this security name. The name is used as an
index to the table. The range is 1–32 characters.
SecurityName
Identifies the name on whose behalf SNMP messages are generated.
Clone From User
Specifies the security name from which the new entry must copy privacy
and authentication parameters. The range is 1–32 characters. This option
appears only in the Insert USM Table dialog box.
Auth Protocol
Assigns an authentication protocol (or no authentication) from a list. If you
select an authentication protocol, you must enter an old AuthPass and a
new AuthPass.
(Optional)
Cloned User's Auth
Password
Specifies the current authentication password of the cloned user. This
option appears only in the Insert USM Table dialog box.
New User's Auth Password
Specifies the authentication password of the new user. This option
appears only in the Insert USM Table dialog box.
Priv Protocol
Assigns a privacy protocol (or no privacy) from a list.
(Optional)
If you select a privacy protocol, you must enter an old PrivPass and a
new PrivPass.
Cloned User's Priv
Password
Specifies the current privacy password of the cloned user. This option
appears only in the Insert USM Table dialog box.
New User's Priv Password
Specifies the privacy password of the new user. This option appears only
in the Insert USM Table dialog box.
Creating a new group membership
About this task
Create a new group membership to logically group users who require the same level of access.
Note:
There are several default groups (public and private) created that you can use. To see the list
of default groups and their associated security names (secnames), enter show snmpserver group. If you use one of these groups, there is no need to create a new group.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. Click the Group Membership tab.
4. Click Insert.
5. From the SecurityModel options, select a security model.
6. In the SecurityName box, type a security name.
December 2017
Configuring Security on VOSS
390
SNMP configuration using Enterprise Device Manager
7. In the GroupName box, type a group name.
8. Click Insert.
Group Membership field descriptions
Use the data in the following table to use the Group Membership tab.
Name
Description
SecurityModel
Specifies the security model to use with this group membership.
SecurityName
Specifies the security name assigned to this entry in the View-based
Access Control Model (VACM) table. The range is 1–32 characters.
GroupName
Specifies the name assigned to this group in the VACM table. The range
is 1–32 characters.
Creating access for a group
About this task
Create access for a group in the View-based Access Control Model (VACM) table to provide
access to managed objects.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. Click the Group Access Right tab.
4. Click Insert.
5. In the GroupName box, type a VACM group name.
6. In the ContextPrefix box, select a VRF instance. This is an optional step.
7. From the SecurityModel options, select a model.
8. From the SecurityLevel options, select a security level.
9. In the ContextMatch option, select a value to match the context name. This value is exact
by default.
10. (Optional) In the ReadViewName box, type the name of the MIB view that forms the basis
of authorization when reading objects. This is an optional step.
11. (Optional) In the WriteViewName box, type the name of the MIB view that forms the basis
of authorization when writing objects. This is an optional step.
12. (Optional) In the NotifyViewName box, type MIB view that forms the basis of
authorization for notifications. This is an optional step.
13. Click Insert.
December 2017
Configuring Security on VOSS
391
Simple Network Management Protocol (SNMP)
Group Access Right field descriptions
Use the data in the following table to use the Group Access Right tab.
Name
Description
GroupName
Specifies the name of the new group in the VACM table. The range is 1–
32 characters.
ContextPrefix
Specifies if the contextName must match the value of the instance of this
object exactly or partially. The range is an SnmpAdminString, 1–32
characters.
SecurityModel
Specifies the authentication checking to communicate to the switch. The
security models are:
• SNMPv1
• SNMPv2
• USM
SecurityLevel
Specifies the minimum level of security required to gain the access rights
allowed. The security levels are:
• noAuthNoPriv
• authNoPriv
• authpriv
ContextMatch
Specifies if the prefix and the context name must match. If the value is
exact, all rows where the contextName exactly matches
vacmAccessContextPrefix are selected. If you do not select exact, all
rows where the contextName with starting octets that exactly match
vacmAccessContextPrefix are selected.
ReadViewName
Identifies the MIB view of the SNMP context to which this conceptual row
authorizes read access. The default is the empty string.
WriteViewName
Identifies the MIB view of the SNMP context to which this conceptual row
authorizes write access. The default is the empty string.
NotifyViewName
Identifies the MIB view of the SNMP context to which this conceptual row
authorizes access for notifications. The default is the empty string.
Creating access policies for SNMP groups
About this task
Create an access policy to determine the access level for the users who connect to the switch with
different services like File Transfer Protocol (FTP), Trivial FTP (TFTP), Telnet, and rlogin.
You only need to create access policies for SNMP groups if you have the access policy feature
enabled. For more information about access policies, see Administering.
Procedure
1. In the navigation pane, open the Configuration > Security > Control Path folders.
December 2017
Configuring Security on VOSS
392
SNMP configuration using Enterprise Device Manager
2. Click Access Policies.
3. Click the Access Policies-SNMP Groups tab.
4. Click Insert.
5. Enter an ID .
6. In the Name box, type a name.
7. From the Model options, select a security model.
8. Click Insert.
Access Policies — SNMP Groups field descriptions
Use the data in the following table to use the Access Polices-SNMP Groups tab.
Name
Description
Id
Specifies the ID of the group policy.
Name
Specifies the name assigned to the group policy. The range is 1–32 characters.
Model
Specifies the security model {SNMPv1|SNMPv2c|USM}.
Assigning MIB view access for an object
About this task
Create a new entry in the MIB View table.
You cannot modify SNMP settings with the default Layer 2 MIB view. However, you can modify
SNMP settings with a new MIB view created with Layer 2 permissions.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. In the VACM Table tab, click the MIB View tab.
4. Click Insert.
5. In the ViewName box, type a view name.
6. In the Subtree box, type a subtree.
7. In the Mask box, type a mask.
8. From the Type options, select whether access to the MIB object is granted.
9. Click Insert.
MIB View field descriptions
Use the data in the following table to use the MIB View tab.
December 2017
Configuring Security on VOSS
393
Simple Network Management Protocol (SNMP)
Name
Description
ViewName
Creates a new entry with this group name. The range is
1–32 characters.
Subtree
Specifies a valid object identifier that defines the set of
MIB objects accessible by this SNMP entity, for example,
1.3.6.1.1.5.
Mask (optional)
Specifies a bit mask with vacmViewTreeFamilySubtree to
determine whether an OID falls under a view subtree.
Type
Determines whether access to a MIB object is granted
(included) or denied (excluded). The default is included.
Creating a community
About this task
Create a community to use in forming a relationship between an SNMP agent and one or more
SNMP managers. You require SNMP community strings for access to the switch using an SNMPbased management software.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click Community Table.
3. Click Insert.
4. In the Index box, type an index.
5. In the Name box, type a name that is a community string.
6. In the SecurityName box, type a security name.
7. In the ContextName box, type the context name.
8. Click Insert.
Community Table field descriptions
Use the data in the following table to use the Community Table tab.
Name
Description
Index
Specifies the unique index value of a row in this table. The range is 1–32
characters.
Name
Specifies the community string for which a row in this table represents a
configuration.
SecurityName
Specifies the security name in the VACM group member table to which
the community string is mapped. The range is 1–32 characters.
Table continues…
December 2017
Configuring Security on VOSS
394
SNMP configuration using Enterprise Device Manager
Name
Description
ContextEngineID
Indicates the location of the context in which management information is
accessed when using the community string specified in Name.
ContextName
Specifies the context in which management information is accessed when
you use the specified community string.
Viewing all contexts for an SNMP entity
About this task
View contexts to see the contents of the context table in the View-based Access Control Model
(VACM). This table provides information to SNMP command generator applications so that they
can properly configure the VACM access table to control access to all contexts at the SNMP entity.
Procedure
1. In the navigation tree, open the following folders: Configuration > Edit > SnmpV3.
2. Click VACM Table.
3. In the VACM Table tab, click the Contexts tab.
Contexts field descriptions
Use the data in the following table to use the Contexts tab.
Variable
Value
ContextName
Shows the name identifying a particular context at a particular SNMP
entity. The empty contextName (zero length) represents the default
context.
December 2017
Configuring Security on VOSS
395
Chapter 11: TACACS+
This chapter provides Terminal Access Controller Access Control Plus (TACACS+) concepts and
procedures to complete TACACS+ configuration.
TACACS+ fundamentals
The switch supports the TACACS+ client. TACACS+ is a remote authentication protocol that
provides centralized validation of users who attempt to gain access to a router or Network Access
Server (NAS).
The TACACS+ feature is a client and server-based protocol that allows the switch to accept a user
name and password and send a query to a TACACS+ authentication server, sometimes called a
TACACS+ daemon. The TACACS+ server allows access or denies access based on the response
by the client.
The TACACS+ feature facilitates the following services:
• Login authentication and authorization for CLI access through rlogin, Secure Shell (SSH),
Telnet, or serial port.
• Login authentication for web access through EDM.
• Command authorization for CLI through rlogin, SSH, Telnet, or serial port.
• Accounting of CLI through rlogin, SSH, Telnet, and serial port.
The following figure displays the basic layout of the switch and the TACACS+ server.
Figure 30: Switch and TACACS+ server
December 2017
Configuring Security on VOSS
396
TACACS+ fundamentals
The TACACS+ feature uses Transmission Control Protocol (TCP) for its transport to ensure
reliable delivery of packets. TACACS+ provides security by encrypting all traffic between the
switch, which acts as the Network Access Server, and the TACACS+ server.
TACACS+ is a newer version of TACACS and provides separate authentication, authorization, and
accounting (AAA) services. TACACS+ does not support earlier versions of TACACS.
TACACS+ is a base license feature. The TACACS+ feature is disabled by default.
TACACS+ Operation
The switch acts as an NAS to provide a connection to a single user, to a network, subnetwork or
interconnected networks. The switch acts as a gateway to guard access to the TACACS+ server
and network. Encryption relies on a secret key that is known to the client and the TACACS+
server.
Similar to the Remote Access Dial-In User Services (RADIUS) protocol, TACACS+ provides the
ability to centrally manage the users who want to access a remote device. TACACS+ provides
management of remote and local users who try to access a device through:
• rlogin
• Secure Shell (SSHv2)
• Telnet
• serial port
• Web management
A TACACS+ daemon, which typically runs on a UNIX or Windows NT workstation, maintains the
TACACS+ authentication, authorization, and accounting services.
Extreme Networks Identity Engines supports the TACACS+ daemon.
It is recommended to use the Identity Engines Ignition Server as your TACACS+ server.
You configure users in the TACACS+ server. If you enable authentication, authorization, and
accounting services, the following occurs:
• During the logon process, the TACACS+ client initiates the TACACS+ authentication session
with the TACACS+ server.
• After successful authentication the TACACS+ client initiates the TACACS+ authorization
session with the TACACS+ server. This is transparent to the user. The switch receives the
user access level after a successful TACACS+ authorization. The TACACS+ server
authorizes every command the user issues if TACACS + command authorization is enabled
for that user access level.
• After successful authorization, if you enable TACACS+ accounting, the TACACS+ client
sends accounting information to the TACACS+ server.
A TACACS+ session establishes with the server in one of two ways:
• Multi-connection mode (also known as per-session): For every authentication, authorization,
and accounting (AAA) request the switch establishes a session with the TACACS+ server,
December 2017
Configuring Security on VOSS
397
TACACS+
and then once the request finishes, the session is torn down. Multi-connection mode is the
default mode.
• Single-connection mode: The first AAA request establishes the session, which is only torn
down if TACACS+ is disabled or due to inactivity.
TACACS+ Architecture
You can connect the TACACS+ server to the switch:
• In-band through one of the data ports.
•
Out-of-band through the management port.
Connect the TACACS+ server through a local interface. Management PCs can reside on an outof-band management Ethernet port, or on the corporate network. Place the TACACS+ server on
the corporate network so you can route it to the switch.
Before you configure the switch, you must configure at least one TACACS+ server and a key.
The TACACS+ server and the switch must have the same:
• Encryption key
• Connection mode (single connection or per-session connection. Per-session connection is
the same as multi-connection mode.)
• TCP port number
You can configure a secondary TACACS+ server for backup authentication. You specify the
primary authentication server when you configure the switch.
Authentication, authorization, and accounting
A fundamental feature of TACACS+ is the separation of authentication, authorization, and
accounting (AAA) services, which allows you to selectively implement one or more TACACS +
services.
TACACS+ authentication
TACACS+ authentication provides control of authentication through login and password.
Authentication uses a database of users and passwords to determine:
• who a user is
• whether to allow the user access to the NAS
Important:
Prompts for log on and password occur prior to the authentication process. If TACACS+ fails
because no valid servers exist, the device uses the user name and password from the local
December 2017
Configuring Security on VOSS
398
TACACS+ fundamentals
database. If TACACS+ or the local database returns an access denied packet, the
authentication process stops. The device attempts no other authentication methods.
The following figure illustrates the authentication process.
Figure 31: Authentication process
TACACS+ authorization
The transition from TACACS+ authentication to the authorization phase is transparent to the user.
After successful completion of the authentication session, an authorization session starts with the
authenticated user name. The authorization session provides access level functionality.
Authorization cannot occur without authentication.
Authorization:
• determines what a user can do
• allows administrators fine-grained control over the capabilities of users during sessions
The following figure illustrates the authorization process.
December 2017
Configuring Security on VOSS
399
TACACS+
Figure 32: Authorization process
Authorization determines what a user can do. Authorization gives you the ability to limit network
services to certain users and to limit the use of certain commands to certain users. The TACACS+
feature enhances the security by tightly policing the command execution for a particular user. After
you enable command authorization, all commands, no matter the access level to which they
belong, are sent to the TACACS+ server for authorization. Authorization cannot occur without first
enabling authentication. You must configure command authorization globally and at individual
access levels.
Two kinds of authorization requests exist:
1. Login authorization: Login authorization happens immediately after authentication and is
transparent to the user. When the user logs on to the device, authorization provides the
user access level. With log on, the device does not send a command to the TACACS+
server. You cannot configure login authorization.
2. Command authorization: When you configure command authorization for a particular level,
all commands that you issue are sent to the TACACS+ server for authorization. The device
can only issue the commands the TACACS+ server authorizes. You need to configure
command authorization globally and at individual access levels, which are visible to the
users.
Note:
You must verify that the switch can reach the TACACS+ server and that you configure
TACACS+ properly before you enable command authorization.
If a user is TACACS+ authenticated and command authorization is enabled for that level, then
if the switch cannot reach the TACACS+ server, the switch does not allow the user to issue
any command that has privilege level command authorization enabled. In such a case, the
user can only issue logout and exit commands.
December 2017
Configuring Security on VOSS
400
TACACS+ fundamentals
If a user tries to log in and the TACACS+ server does not exist or is not reachable, then, as
discussed before, a local database in the switch authenticates the user. The switch authorizes
a locally authenticated user and a locally authenticated user is not eligible for TACACS+
command authorization.
After the switch requests authorization, the logon credentials are sent to the TACACS+ daemon
for authorization. If logon authorization fails, the user receives a permission denied message.
If TACACS+ logon authorization succeeds, the switch uses information from the user profile, which
exists in the local user database or on the TACACS+ server, to configure the session for the user.
After you enable TACACS+ command authorization all commands are visible to all users;
however, the user can only issue those commands that the TACACS+ server configuration allows.
The switch cannot enforce command access level. The TACACS+ server returns an access level
to the switch. The switch allows the user to access the switch according to the access level. The
device grants the user access to a command only if the profile for the user allows the access level.
You preconfigure command authorization on the TACACS+ server. You specify a list of regular
expressions that match command arguments, and you associate each command with an action to
deny or permit.
All members in a group have the same authorization. If you place a user in a group, the daemon
looks in the group for authorization parameters if it cannot find them in the user profile.
TACACS+ accounting
TACACS+ accounting enables you to track the services users access and the amount of network
resources users consume.
TACACS+ accounting allows you to track:
• what a user does
• when a user does certain actions
The accounting record includes the following information:
• User name
• Date
• Start/stop/elapsed time
• Access server IP address
• Reason
You can use accounting for an audit trail, to bill for connection time or resources used, or for
network management. TACACS+ accounting provides information about user sessions using the
following connection types: Telnet, rlogin, SSH, and web-based management.
With separation of AAA, accounting can occur independently from authentication and
authorization.
The following figure illustrates the accounting process.
December 2017
Configuring Security on VOSS
401
TACACS+
Figure 33: Accounting process
After you enable accounting, the switch reports user activity to the TACACS+ server in the form of
accounting records. Each accounting record contains accounting attribute value (AV) pairs. AV
pairs are strings of text in the form “attribute-value” sent between the switch and a TACACS+
daemon as part of the TACACS+ protocol. The TACACS+ server stores the accounting records.
You cannot customize the set of events the switch monitors and logs with TACACS+ accounting.
TACACS+ accounting logs the following events:
• User logon and logoff
• Logoff generated because of activity timeout
• Unauthorized command
• Telnet session closed (not logged off)
Privilege level changes at runtime
You can change your privilege level at runtime with the tacacs switch level command.
You need to configure separate profiles in the TACACS+ server configuration file for the switch
level. The switch supports only levels 1 to 6 and level 15. The switch uses the profile when you
December 2017
Configuring Security on VOSS
402
TACACS+ fundamentals
issue the command tacacs switch level <1–15>. As part of the profile, you specify a user
name, level, and password. To preconfigure a dummy user for that level on the TACACS
+ daemon, the format of the user name for the dummy user is $enab<n>$, where <n> is the
privilege level to which you want to allow access.
The following is an example of a TACACS+ server profile, which you configure on the TACACS
+ server:
user = $enab6$ {
member = level6
login = cleartext get-me-on-6
}
The following table maps user accounts to TACACS+ privilege level.
Switch access level
TACACS+ privilege level
Description
NONE
0
If the TACACS+ server returns an
access level of 0, the user is
denied access. You cannot log
into the device if you have an
access level of 0.
READ ONLY
1
Permits you to view only
configuration and status
information.
LAYER 1 READ WRITE
2
Permits you to view most of the
switch configuration and status
information and change physical
port settings.
LAYER 2 READ WRITE
3
Permits you to view and change
configuration and status
information for Layer 2 (bridging
and switching) functions.
LAYER 3 READ WRITE
4
Permits you to view and change
configuration and status
information for Layer 2 and Layer
3 (routing) functions.
READ WRITE
5
Permits you to view and change
configuration and status
information across the switch.
This level does not allow you to
change security and password
settings.
READ WRITE ALL
6
Permits you to have all the rights
of read-write access and the
ability to change security settings,
including command line interface
(CLI) and web-based
management user names and
Table continues…
December 2017
Configuring Security on VOSS
403
TACACS+
Switch access level
TACACS+ privilege level
Description
passwords, and the SNMP
community strings.
NONE
7 to 14
If the TACACS+ server returns an
access level of 7 to 14, the user is
denied access. You cannot log
into the device if you have an
access level of 7 to 14.
READ WRITE ALL
15
Permits you to have all the rights
of read-write access and the
ability to change security settings,
including command line interface
(CLI) and Web-based
management user names and
passwords, and the SNMP
community strings.
Note:
Access level 15 is internally
mapped to access level 6,
which ensures consistency
with other vendor
implementations. The switch
does not differentiate
between an access level of 6
and an access level of 15.
Note:
If you enable enhanced secure mode with the boot config flags enhancedsecuremode command, you enable different access levels, along with stronger password complexity,
length, and minimum change intervals. With enhanced secure mode enabled, the switch
supports the following access levels for RADIUS authentication:
• Administrator
• Privilege
• Operator
• Auditor
• Security
The switch associates each username with a certain role and appropriate authorization rights
to view and configure commands. For more information on system access fundamentals and
configuration, see Administering.
TACACS+ command authorization
After you enable TACACS+ authorization, the current privilege-level to command mapping on the
switch is no longer relevant because the TACACS+ server has complete responsibility for
command authorization. TACACS+ authorization provides access to the system based on
username, not based on privilege level.
December 2017
Configuring Security on VOSS
404
TACACS+ fundamentals
After you enable TACACS+ command authorization for a particular privilege level, and a user with
that privilege level logs on, the user can access commands based on his user name.
TACACS+ switch level and TACACS+ switch back commands
The user can only issue the tacacs switch level command after TACACS+ authenticates
the user. Locally authenticated users, which means users authenticated only by the switch and not
by the TACACS+ server, cannot use the tacacs switch level command.
Consider a user, called X, with a privilege level of 4, who uses the tacacs switch level
<1-15> command to change the privilege level from 4 to 6.
If user X successfully changes the switch level to 6, the user name changes from X to “$enab6$”,
and the privilege level changes from 4 to 6. If TACACS+ command authorization is enabled for
privilege level 6, then the TACACS+ server authorizes commands issued based on the rules
defined for (dummy) user “$enab6$”.
If TACACS+ command authorization is not enabled for privilege level 6, then the switch locally
authorizes the user X based on the privilege level of the user.
The user can return to his previous privilege level using the tacacs switch back command. In
the preceding scenario, if the user issues the tacacs switch back command, the user name
changes for user X from “$enab6$” to X, and the privilege level changes from 6 to 4.
TACACS+ switch level supports up to eight levels, and TACACS+ switch level allows a user to
switch level up to eight times from his original privilege level. The switch stores all of the previous
privilege levels in the same order in which the user switches levels. After switching eight times, if
the user tries to switch a level the ninth time, the following error message displays:
Only allowed to switch level 8 times!
The user can switch back to his previous privilege levels using the tacacs switch back
command. The tacacs switch back command switches back in the reverse order in which
you issued the tacacs switch level command. Consider a user who switched levels from 4
to 5, and then to 6. If the user used the tacacs switch back command, the user first moves
from 6 to 5, and then using the tacacs switch back command again moves from 5 to 4.
Note:
If you want to switch to a privilege level 'X' using tacacs switch level <1-15>
command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level
that you want to change.
TACACS+ switch level functionality:
The following table explains TACACS+ switch level functionality.
User logs in with
TACACS+ server available
Result
TACACS+ authentication
Yes
The user can issue the tacacs
switch level <1–15>
command.
Local authentication
No
The user cannot issue the
tacacs switch level <1–
15> command.
Table continues…
December 2017
Configuring Security on VOSS
405
TACACS+
User logs in with
TACACS+ server available
Result
Local authentication
Yes
Even if a TACACS+ server
becomes reachable, the user
remains locally authenticated and
cannot issue the tacacs
switch level <1–15>
command.
TACACS+ command authorization functionality:
The following table explains TACACS+ command authorization functionality.
User logs in with
Command authorization
Result
Local authentication
—
The switch authorizes the user
locally.
TACACS+ authentication
Not enabled for the logged-in
level.
The switch authorizes the user
locally. If the server connection is
lost, the switch authorizes the
user locally.
TACACS+ authentication
Enabled for the logged-in level.
The TACACS+ server authorizes
the user. If the server connection
is lost, the user can only issue
exit and logout commands.
Note:
A user who configures TACACS+ is locally authenticated and authorized by the switch, so
even after the user configures TACACS+, the switch continues to locally authorize the user.
TACACS+ and RADIUS differences
TACACS+ and RADIUS are security protocols that you can use on network devices.
You can enable TACACS+ and RADIUS together. However, TACACS+ has a higher priority. If the
TACACS+ server is not available the authentication is sent to RADIUS, if RADIUS is enabled.
However, if TACACS+ authentication fails, then requests are not sent to RADIUS.
Following is a list of differences between TACACS+ and RADIUS.
TACACS+
RADIUS
Separates Authorization, Authentication and
Accounting (AAA). As a result, you can selectively
implement one or more TACACS+ services. With
TACACS+ you can use different servers for each
service.
Combines authentication and authorization.
Uses TCP.
Uses UDP.
Table continues…
December 2017
Configuring Security on VOSS
406
TACACS+ fundamentals
TACACS+
TCP is connection-oriented.
RADIUS
UDP is best-effort delivery.
TCP immediately indicates if a server crashes or is
not running. TCP offers an acknowledgement that a
request has been received.
RADIUS uses re-transmit attempts and timeouts to
make up for the support TCP has.
Encrypts the entire body of the packet, which
includes the password and username.
Encrypts only the password from the client to the
server.
Used for administrator access. Usually used for
administrator access to network devices.
Used for subscriber access. Usually used to
authenticate remote users to a network.
Can control which access level of commands a user Cannot control which access level of commands
or group can access.
can be used.
TACACS+ feature limitations
TACACS+ does not support the following features:
• Point-to-Point Protocol (PPP) authentication and accounting
• IPv6 for TACACS+
• S/KEY (One Time Password) authentication
• PAP/CHAP/MSCHAP authentication methods
• The FOLLOW response of a TACACS+ server, in which the AAA services are redirected to
another server. The response is interpreted as an authentication failure.
• User capability to change passwords at runtime over the network. The system administrator
must change user passwords locally, on the server.
• TACACS+ command authorization when the user accesses the switch through EDM and
SNMP.
• Restriction of command authorization for a specific kind of access. After you enable
command authorization, command authorization applies for Telnet, SSH, rlogin, and serialport access. You cannot restrict command authorization to just one kind of access.
If a user is TACACS+ authenticated and command authorization is enabled for that level, then if
the switch cannot reach the TACACS+ server, the switch does not allow the user to execute any
command that has privilege level command authorization enabled.
December 2017
Configuring Security on VOSS
407
TACACS+
TACACS+ configuration using CLI
Enabling TACACS+
Enable TACACS+ globally on the switch.
The switch supports the TACACS+ client. TACACS+ is a security application implemented as a
client and server-based protocol that provides centralized validation of users who attempt to gain
access to a router or network access server (the switch).
By default, TACACS+ is disabled.
Before you begin
• You must have access to and you must configure a TACACS+ server before the TACACS+
features on your switch are available.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable TACACS+ globally:
tacacs protocol enable
3. Disable TACACS+ globally:
no tacacs protocol enable
default tacacs protocol enable
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs protocol enable
Adding a TACACS+ server
Add a primary and secondary TACACS+ server and specify the authentication process.
If you have a backup server configured, the AAA request goes to the backup server if the primary
server is not available.
You are recommended to use the Identity Engines Ignition server as your TACACS+ server.
December 2017
Configuring Security on VOSS
408
TACACS+ configuration using CLI
About this task
The TACACS+ server and the switch must have the same:
• Encryption key
• Connection mode (single connection or per-session connection. Per-session connection is
the same as multi-connection mode)
• TCP port number
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Add a primary TACACS+ server with an encryption key:
tacacs server host {A.B.C.D} key WORD<0–128>
3. (Optional) Configure the parameters for the primary TACACS+ server as required.
a. (Optional) Specify a single connection. The single connection parameter maintains a
constant connection between the switch and the TACACS+ daemon:
tacacs server host {A.B.C.D} single-connection
Note:
The TACACS+ daemon must also support this mode. If you do not configure this,
the switch uses the default connection type, which is the per-session connection.
Per-session is the same as multi-connection mode.
b. (Optional) Specify the TCP port to use when the switch connects to the TACACS+
daemon:
tacacs server host {A.B.C.D} port <1–65535>
The default port is 49.
c. (Optional) Specify the period of time (in seconds) the switch waits for a response
from the TACACS+ daemon before it times out and shows an error:
tacacs server host {A.B.C.D} timeout <10–30>
d. (Optional) Designate a fixed source IP address for all outgoing TACACS+ packets
and enable this option:
tacacs server host {A.B.C.D} source {A.B.C.D}source-ipinterface enable
4. Specify the IP address of the secondary TACACS+ server and specify an encryption key:
tacacs server secondary-host {A.B.C.D} key WORD<0–128>
December 2017
Configuring Security on VOSS
409
TACACS+
5. (Optional) Configure the optional parameters on the secondary TACACS+ server as
required.
a. (Optional) Specify a single connection for the secondary TACACS+ server. The
single connection parameter maintains a constant connection between the switch and
the TACACS+ daemon:
tacacs server secondary-host {A.B.C.D} single-connection
Note:
The TACACS+ daemon must also support this mode. If you do not configure this,
the switch uses the default connection type, which is the per-session connection.
Per-session is the same as multi-connection mode.
b. (Optional) Specify the TCP port to use when the switch connects to the TACACS+
daemon:
tacacs server secondary-host {A.B.C.D} port <1–65535>
c. (Optional) Specify the period of time (in seconds) the switch waits for a response
from the TACACS+ daemon before it times out and shows an error:
tacacs server secondary-host {A.B.C.D} timeout<10–30>
d. (Optional) Designate a fixed source IP address for all outgoing TACACS+ packets
and enable this option:
tacacs server secondary-host {A.B.C.D} source {A.B.C.D} sourceip-interface enable
6. Display the status of the TACACS+ configuration:
show tacacs
7. (Optional) Delete a primary TACACS+ server:
no tacacs server host{A.B.C.D} [single-connection][source sourceip-interface enable]
8. (Optional) Delete a backup TACACS+ server:
no tacacs server secondary-host{A.B.C.D} [single-connection][source
source-ip-interface enable]
9. (Optional) Configure a primary TACACS+ server or secondary TACACS+ server to the
default settings:
default tacacs server {A.B.C.D} [port][single-connection][source
source-ip-interface enable][timeout]
Example
Configure the primary server with the IP address 192.0.2.1 and the encryption key 1dt41y.
Configure the secondary server with the IP address 198.51.100.2 with the same encryption key
1dt41y. Display the configuration to ensure proper configuration.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs server host 192.0.2.1 key 1dt4ly
December 2017
Configuring Security on VOSS
410
TACACS+ configuration using CLI
Switch:1(config)#tacacs server secondary-host 198.51.100.2 key 1dt4ly
Switch:1(config)#show tacacs
Global Status:
global enable : true
authentication enabled for : cli
accounting enabled for : none
authorization : disabled
User privilege levels set for command authorization : None
Server:
create :
Prio
Status Key
SourceEnabled
Primary
Conn
******
false
Backup
NotConn ******
false
Port
IP address
Timeout Single Source
49
192.0.2.1
10
false
0.0.0.0
49
198.51.100.2
10
false
0.0.0.0
Switch:1(config)#no tacacs server host 192.0.2.1
Switch:1(config)#no tacacs server secondary-host 198.51.100.2
Variable definitions
Use the data in the following table to use the tacacs server host and the tacacs server
secondary-host commands.
Variable
Value
{A.B.C.D}
Specifies the IP address of the TACACS+ server
you want to add.
Only IPv4 addresses are valid.
key WORD <0-128>
Configures the authentication and encryption key
for all TACACS+ communications between the
device and the TACACS+ server. If the key length is
zero, that indicates no encryption is used.
You must configure the same encryption key for the
TACACS+ server and the switch.
port <1-65535>
Configures the TCP port, on which the client
establishes a connection to the server. A value of 0
indicates the system specified default value is used.
The default is 49.
You must configure the same TCP port for the
TACACS+ server and the switch.
single-connection
Specifies if the TCP connection between the device
and the TACACS+ server is a single connection. If
you specify the single connection parameter, the
Table continues…
December 2017
Configuring Security on VOSS
411
TACACS+
Variable
Value
connection between the switch and the TACACS+
daemon remains open, which is more efficient
because it allows the daemon to handle a higher
number of TACACS+ operations. The singleconnection is torn down if TACACS+ is disabled due
to inactivity.
If you do not configure this, the switch uses the
default connection type, which is the multiconnection. With the multi-connection, the
connection opens and closes each time the switch
and TACACS+ daemon communicate.
Note:
You must configure the same connection mode
for the TACACS+ server and the switch.
To enable single-connection, the TACACS+
daemon has to support this mode as well.
source {A.B.C.D}
Designates a fixed source IP address for all
outgoing TACACS+ packets, which is useful if the
router has many interfaces and you want to make
sure all TACACS+ packets from a certain router
have the same IP address.
If you do not configure an address, the system uses
0.0.0.0 as the default.
Only IPv4 addresses are valid.
Note:
If you configure a valid source IP address that
is not 0.0.0.0 without enabling source-ipinterface, the source IP address returns to
0.0.0.0.
source-ip-interface enable
Enables the source address. You must enable this
parameter if you configure a valid source IP
address. The default is disabled.
timeout <10-30>
Configures the maximum time, in seconds, to wait
for this TACACS+ server to reply before it times out.
The default value is 10 seconds.
Job aid
The following table describes the fields in the output for the show tacacs command.
Name
Description
Global Status
Table continues…
December 2017
Configuring Security on VOSS
412
TACACS+ configuration using CLI
Name
Description
global enable
Displays if the TACACS+ feature is enabled
globally.
authentication enabled for
Displays which application is authenticated by
TACACS+. The possibilities are CLI, web, or all.
accounting enabled for
Displays if accounting is enabled. You can only
enable accounting for CLI. By default, accounting is
not enabled.
authorization
Displays if authorization is enabled.
User privilege levels set for command
authorization
Displays the privilege levels set for command
authorization. When you configure command
authorization for a particular level, all commands
that you execute are sent to the TACACS+ server
for authorization. The device can only execute the
commands the TACACS+ server authorizes.
The user privilege levels are:
• 0: denied access
• 1: read only (ro) access
• 2: Layer 1 read and write (l1) access
• 3: Layer 2 read and write (l2) access
• 4: Layer 3 read and write (l3) access
• 5: read and write (rw) access
• 6: read and write all (rwa) access
• 7-14: denied access
• 15: read and write all (rwa) access
Server
Prio
Displays the priority of the TACACS+ server. The
switch attempts to use the primary server first, and
the secondary server second.
Status
Displays the connection status between the server
and the switch – connected or not connected.
Key
Displays as ****** instead of the actual key. The key
is secret and is not visible.
Port
Displays the TCP port used to establish the
connection to the server. The default port is 49.
IP address
Displays the IP address for the primary and
secondary TACACS+ servers.
Timeout
Displays the period of time, in seconds, the switch
waits for a response from the TACACS+ daemon
Table continues…
December 2017
Configuring Security on VOSS
413
TACACS+
Name
Description
before it times out and declares an error. The
default is 10 seconds.
Single
Displays if a single open connection is maintained
between the switch and TACACS+ daemon, or if the
switch opens and closes the TCP connection to the
TACACS+ daemon each time they communicate.
The default is false, which means the device does
not maintain the single open connection.
Source
Displays the fixed source IP address, if you
configure one, for all outgoing TACACS+ packets.
SourceEnabled
Displays if the fixed source IP address is enabled
for all outgoing TACACS+ packets.
Configuring TACACS+ authentication
Configure what application TACACS+ authenticates: CLI, web, or all.
TACACS+ authentication provides control of authentication through login and password.
By default, CLI authentication is enabled.
Before you begin
• You must enable TACACS+ globally for TACACS+ authentication to function.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Configure TACACS+ authentication:
tacacs authentication <all/cli/web>
3. (Optional) Disable TACACS+ authentication:
no tacacs authentication <all/web>
4. (Optional) Configure TACACS+ authentication to the default settings (default is cli
authentication enabled):
default tacacs authentication <all/cli/web>
5. Display the configuration:
show tacacs
December 2017
Configuring Security on VOSS
414
TACACS+ configuration using CLI
Example
Configure TACACS+ to authenticate CLI and display the configuration.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs authentication cli
Switch:1(config)#show tacacs
Global Status:
global enable : true
authentication enabled for : cli
accounting enabled for : none
Server:
Prio
Primary
Backup
create :
Status Key
Conn
******
NotConn ******
Port
49
49
IP address Timeout
192.0.2.1
10
198.51.100.2
10
SingleSource Source Enabled
false
0.0.0.0 false
false
0.0.0.0 false
Variable definitions
Use the data in the following table to use the tacacs authentication command.
Variable
Value
all
Specifies TACACS+ authentication for all
applications. By default, CLI authentication is
enabled.
cli
Specifies TACACS+ authentication for command
line connections. By default, CLI authentication is
enabled.
web
Specifies TACACS+ authentication for web
connections. By default, CLI authentication is
enabled.
Configuring TACACS+ accounting
Determines for which applications TACACS+ collects accounting information. Use TACACS+
accounting to track the services that users access and the amount of network resources that users
consume. If unassigned, TACACS+ does not perform the accounting function.
If enabled, TACACS+ accounting logs the following events:
• User log on and log off
• Log off generated because of activity timeout
• Unauthorized command
• Telnet session closed (not logged off)
If unassigned, TACACS+ does not perform the accounting function. No default value exists.
December 2017
Configuring Security on VOSS
415
TACACS+
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable TACACS+ accounting:
tacacs accounting enable cli
3. (Optional) Disable TACACS+ accounting:
no tacacs accounting cli
tacacs accounting disable [cli]
Example
Enable TACACS+ accounting:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs accounting enable cli
Configuring command authorization with TACACS+
Use this procedure to enable TACACS+ authorization for a particular privilege level. Use this
option to limit the use of certain commands to certain users.
If command authorization fails, the following log message displays: Command <command> not
authorized for user <username>.
By default, command authorization is disabled on the switch. The default for the command
authorization level is none.
Before you begin
• You must have access to and you must configure a TACACS+ server before the TACACS+
features on your switch are available. You must verify that the switch can reach the TACACS
+ server and that you configure TACACS+ properly before you enable command
authorization. If a user is TACACS+ authenticated and command authorization is enabled for
that level, then if the switch cannot reach the TACACS+ server, the switch does not allow you
to issue any command that has privilege level command authorization enabled. If the switch
cannot reach the TACACS+ server, you can only issue logout and exit commands.
• To use TACACS+ authorization, you must enable TACACS+ authentication.
About this task
Two kinds of authorization requests exist:
1. Login authorization: Login authorization happens immediately after authentication when
the user logs on to the device, authorization provides the user access level. You cannot
configure login authorization.
December 2017
Configuring Security on VOSS
416
TACACS+ configuration using CLI
2. Command authorization: When you configure command authorization for a particular level,
all commands that you issue are sent to the TACACS+ server for authorization. You need
to configure command authorization globally and at individual access levels.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Enable TACACS+ authorization:
tacacs authorization enable
3. Configure TACACS+ privilege level for TACACS+ command authorization:
tacacs authorization level <1–6>
tacacs authorization level all
tacacs authorization level none
4. (Optional) Disable TACACS+ authorization:
tacacs authorization disable
default tacacs authorization
Example
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs authorization enable
Switch:1(config)#tacacs authorization level 6
Variable definitions
Use the data in the following table to use the tacacs authorization command.
Variable
Value
level <1–6>
Enables command authorization for a specific
privilege level. The default for the command
authorization level is none.
level all
Enables command authorization for all privilege
levels. The default for the command authorization
level is none.
level none
Disables command authorization for all privilege
levels. The default for the command authorization
level is none.
December 2017
Configuring Security on VOSS
417
TACACS+
Changing privilege levels at runtime
Users can change their privilege levels at runtime. The privilege level determines what commands
a user can access through TACACS+ server authorization.
A user can only use the tacacs switch level command, after TACACS+ authenticates the
user. Locally authenticated users, which means users authenticated only by the switch and not by
the TACACS+ server, cannot use the tacacs switch level command.
Before you begin
• You need to configure separate profiles in the TACACS+ server configuration file for switch
level. As part of the profile, you specify a user name, level, and password.
About this task
After you enable TACACS+ authorization, the current privilege-level to command mapping on the
switch is no longer relevant because the TACACS+ server has complete responsibility for
command authorization. TACACS+ authorization provides access to the system based on
username, not based on privilege level.
After you enable TACACS+ command authorization for a particular privilege level, and a user with
that privilege level logs on, the user can access commands based on his user name.
Note:
If you want to switch to a privilege level 'X' using tacacs switch level <1-15>
command, you must create a user "$enabX$" on the TACACS+ server. X is the privilege level
to which you want to change.
Procedure
1. Enter Global Configuration mode:
enable
configure terminal
2. Change the privilege level for a user at runtime:
tacacs switch level <1–15>
3. Return to the original privilege level:
tacacs switch back
Example
Change the privilege level for a user at runtime. Return to the original privilege level:
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs protocol enable
Switch:1(config)#tacacs switch level 5
Password:******
December 2017
Configuring Security on VOSS
418
TACACS+ configuration using EDM
Return to the original privilege level:
Switch:1(config)#tacacs switch back
Variable definitions
Use the data in the following table to use the tacacs switch command.
Variable
Value
level <1–15>
Specifies the privilege level you want to access. You
can change your privilege level at runtime by using
this parameter. You are prompted to provide the
required password. If you do not specify a level in
the command, the administration level is selected
by default.
Note:
For switch level, you need to configure
separate profiles in the TACACS+ server
configuration file. As part of the profile, you
specify a username, level, and password. To
preconfigure a dummy user for that level on
the TACACS+ daemon, the format of the
username for the dummy user is $enab<n>$,
where <n> is the privilege level to which you
want to allow access.
back
Specifies that you want to return to the original
privilege level.
TACACS+ configuration using EDM
Configuring TACACS+ globally
Enable TACACS+ globally on the switch. TACACS+ is a security application implemented as a
client and server-based protocol that provides centralized validation of users. By default, TACACS
+ is disabled.
Before you begin
• You must have access to and you must configure a TACACS+ server before the TACACS+
features on your switch (network access server) are available.
You must verify that the switch can reach the TACACS+ server and that you configure
TACACS+ properly before you enable command authorization.
• If a user is TACACS+ authenticated and command authorization is enabled for that level,
then if the switch cannot reach the TACACS+ server, the switch does not allow the user to
December 2017
Configuring Security on VOSS
419
TACACS+
issue any command that has privilege level command authorization enabled. In such a case,
the user can only issue logout and exit commands.
• You must enable TACACS+ globally for TACACS+ authentication to function.
• You must enable TACACS+ authentication for TACACS+ authorization to function.
About this task
Configure what application TACACS+ authenticates. TACACS+ authentication provides control of
authentication through login and password dialog, challenge and response. By default, CLI
authentication is enabled.
After authentication is complete, the switch starts the authorization process. By default, command
authorization is disabled on the switch. The default for the command authorization level is none. If
command authorization fails, the following log message displays: Command <command> not
authorized for user <username>.
Two kinds of authorization requests exist:
1. Login authorization: Login authorization happens immediately after authentication when
the user logs on to the device, authorization provides the user access level. You cannot
configure login authorization.
2. Command authorization: When you configure command authorization for a particular level,
all commands that you issue are sent to the TACACS+ server for authorization. You need
to configure command authorization globally and at individual access levels.
Enable TACACS+ accounting function and determine which application TACACS+ accounts. After
you enable accounting, the switch reports user activity to the TACACS+ server in the form of
accounting records. The default for accounting is none.
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click TACACS+.
3. Click the TACACS+ Globals tab.
4. Select the GlobalEnable check box to enable TACACS+ globally.
5. Select the cli check box to enable the Accounting option.
6. Select the cli or web check box to enable the Authentication option.
7. Click the CliCommandAuthorizationEnabled box to enable TACACS+ authorization.
8. Select the level in the CliCommandAuthorizationLevels box.
9. Click Apply.
TACACS+ Globals field descriptions
Use the data in the following table to use the TACACS+ Globals tab.
December 2017
Configuring Security on VOSS
420
TACACS+ configuration using EDM
Name
Description
GlobalEnable
Enables or disables the TACACS+ feature globally.
Accounting
Determines for which applications TACACS+
collects accounting information. Use TACACS+
accounting to track the services that users access
and the amount of network resources that users
consume. If unassigned, TACACS+ does not
perform the accounting function. The default is
none.
If enabled, TACACS+ accounting logs the following
events:
• User log on and log off
• Log off generated because of activity timeout
• Unauthorized command
• Telnet session closed (not logged off)
Authentication
Configures what application TACACS+
authenticates. The options include:
• cli
• web
TACACS + authentication provides control of
authentication through login and password dialog,
challenge and response.
By default, CLI authentication is enabled.
LastUserName
Displays the last user for which the system
attempted authentication.
LastAddressType
Displays the type of address to access the TACACS
+ server.
LastAddress
Displays the last address to access the TACACS+
server.
CliCommandAuthorizationEnabled
Enables TACACS+ authorization for a particular
privilege level. Use this option to limit the use of
certain commands to certain users. To use TACACS
+ authorization, you must also use TACACS+
authentication.
The switch allows the user to access the switch
according to the access level. The default is
disabled.
CliCommandAuthorizationLevels
Enables command authorization for a specific
privilege level.
The default for the command authorization level is
none.
December 2017
Configuring Security on VOSS
421
TACACS+
Adding a TACACS+ server
Add a TACACS+ server, configure the TACACS+ server, and specify the authentication process.
If you have a secondary server configured, the AAA request goes to the backup server if the
primary server is not available.
You are recommended to use the Identity Engines Ignition Server as your TACACS+ server.
Before you begin
You must have access to and you must configure a TACACS+ server before the TACACS+
features on your switch are available.
About this task
The TACACS+ server and the switch must have the same:
• Encryption key
• Connection mode (single connection or per-session connection. Per-session is the same as
multi-connection mode.)
• TCP port number
Procedure
1. In the navigation pane, expand the following folders: Configuration > Security > Control
Path.
2. Click TACACS+.
3. Click the TACACS+ Servers tab.
4. Click Insert.
5. In the AddressType box, select ipv4.
6. In the Address field, type the IP address of the TACACS+ server.
7. (Optional) In the PortNumber field, type the TCP port on which the client establishes a
connection to the TACACS+ server.
8. (Optional) In the ConnectionType box, select either singleConnection or
perSessionConnection to specify the TCP connection type between the switch and
TACACS+ server.
9. (Optional) In the Timeout field, type the period of time (in seconds) the switch waits for a
response from the TACACS+ server.
10. In the Key field, enter the key that the switch and the TACACS+ server share.
11. (Optional) Select SourceIpInterfaceEnabled, if you want to enable the switch to
designate a fixed source IP address for all outgoing TACACS+ packets.
12. In the SourceIPInterfaceType box, select ipv4.
13. (Optional) In the SourceIpInterface field, type a fixed source IP address if you want to
designate a fixed source IP address for all outgoing TACACS+ packets.
December 2017
Configuring Security on VOSS
422
TACACS+ configuration using EDM
14. In the Priority box, select either primary or backup to determine the order the switch uses
the TACACS+ servers.
15. Click Insert.
TACACS+ Servers field descriptions
Use the data in the following table to use the TACACS+ Servers tab.
Name
Description
AddressType
Specifies the type of IP address to use on the
TACACS+ server. You must set the value to IPv4.
Address
Specifies the IP address of the TACACS+ server.
PortNumber
Configures the TCP port on which the client
establishes a connection to the server. The default
is 49. A value of 0 indicates that the system
specified default value is used.
You must configure the same TCP port for the
TACACS+ server and the switch.
ConnectionType
Specifies if the TCP connection between the device
and the TACACS+ server is a single connection. If
you specify the single connection parameter, the
connection between the switch and the TACACS+
daemon remains open, which is more efficient
because it allows the daemon to handle a higher
number of TACACS+ operations. The singleconnection session is torn down if TACACS+ is
disabled due to inactivity.
If you do not configure this parameter, the switch
uses the default connection type, which is the multiconnection. With the multi-connection, the
connection opens and closes each time the switch
and TACACS+ daemon communicate.
Note:
You must configure the same connection mode
for the TACACS+ server and the switch.
To enable single-connection, the TACACS+
daemon has to support this mode as well.
ConnectionStatus
Specifies if the TCP connection between the device
and TACACS+ server is connected or not
connected.
Timeout
Configures the maximum time, in seconds, to wait
for this TACACS+ server to reply before it times out.
The default value is 10 seconds.
Table continues…
December 2017
Configuring Security on VOSS
423
TACACS+
Name
Description
Key
Configures the authentication and encryption key
for all TACACS+ communications between the
device and the TACACS+ server. If the key length is
zero, that indicates no encryption is used.
You must configure the same encryption key for the
TACACS+ server and the switch.
SourceIpInterfaceEnabled
Enables the source address specification. If
SourceIpInterfaceEnabled is true (the check box
is selected), and you change
SourceIpInterfaceEnabled to false (the check box
is cleared), the SourceIpInterface is reset to
0.0.0.0. The default is disabled.
You must enable this parameter if you configure a
valid source IP address
SourceIpInterfaceType
Specifies the type of IP address to use on the
interface that connects to the TACACS+ server.
Note:
You must set the value to IPv4.
SourceIpInterface
Designates a fixed source IP address for all
outgoing TACACS+ packets, which is useful if the
router has many interfaces and you want to make
sure all TACACS+ packets from a certain router
have the same IP address.
If you do not configure an address, the system uses
0.0.0.0 as the default.
Only IPv4 addresses are valid.
Note:
If you configure a valid source IP address that
is not 0.0.0.0 without enabling source-ipinterface, the source IP address returns to
0.0.0.0.
Priority
Determines the order in which the switch uses the
TACACS+ servers, where 1 is the highest priority.
The priority values are primary and backup.
If more than one server shares the same priority,
the device uses the servers in the order they exist in
the table.
Modifying a TACACS+ configuration
Modify an existing TACACS+ configuration to customize the server.
December 2017
Configuring Security on VOSS
424
TACACS+ configuration examples
Procedure
1. In the navigation tree, expand the following folders: Configuration > Security > Control
Path.
2. Click TACACS+.
3. Click TACACS+ Servers tab.
4. Double-click in the fields that you want to modify.
In some of the fields, the text becomes bold, which indicates that you can edit them. In
other fields, a list appears.
5. In the fields that you can edit, type the desired values.
6. In the fields with lists, select the desired option.
7. Click Apply.
TACACS+ configuration examples
This section provides configuration examples to configure the switch and Identity Engines Ignition
Server to use TACACS+.
Figure 34: VSP switch connects to the Identity Engines Ignition Server
TACACS+ configuration on the switch
The following section shows the steps required to configure TACACS+ on the switch.
The example displays how to:
• Configure a key to be used by the TACACS+ server and the switch. In the example, the key
is configured to the word secret.
• Configure an IP address for the TACACS+ server. In the example the IP address for the
primary server is 192.0.2.8, which is accessible by the Management Router VRF.
December 2017
Configuring Security on VOSS
425
TACACS+
• Configure the TACACS+ server to authenticate CLI sessions.
• Enable TACACS+.
Switch
TACACS CONFIGURATION
tacacs
tacacs
tacacs
tacacs
tacacs
server host 192.0.2.8 key ******
protocol enable
accounting enable cli
authorization enable
authorization level 6
Verify your configuration
The show tacacs output must show as global enable: true to confirm TACACS is
enabled.
The output for the show tacacs command must display the IP addresses for the TACACS+
Identity Engines Ignition Server. The IP addresses must be accessible to the Management Router
VRF on the switch.
If you want to use the TACACS+ server to authenticate sessions in CLI, the output must display as
authentication enabled for: cli. If you want to authenticate EDM sessions, the output
must display as authentication enabled for: web.
Ensure the other parameters match what you have configured.
Global Status:
global enable : true
authentication enabled for : cli
accounting enabled for : cli
authorization : enabled
User privilege levels set for command authorization : rwa
Server:
Prio
Status
SourceEnabled
Primary
Conn
false
create :
Key
Port
IP address
Timeout Single Source
******
49
192.0.2.8
10
false
0.0.0.0
Identity Engines Ignition Server TACACS+ configuration example
The following section shows the steps required to configure TACACS+ on Identity Engines Ignition
Server, Release 8.0. Use the preceding information to configure the switch.
A TACACS+ server responds to and audits network access requests. In an installation, the Identity
Engines Ignition Server is the TACACS+ server.
The example displays how to do the following:
• Enable TACACS+
December 2017
Configuring Security on VOSS
426
TACACS+ configuration examples
• Configure a user
• Create a command set
• Configure the authentication protocol policy
• Create the authorization policy
• Configure TACACS+ authenticators
For more information on the Ignition Server, see Identity Engines Ignition Server Administration,
NN47280–600.
Before you begin
• Configure the Ignition Server appliance and set up its network settings. For more information,
see Identity Engines Ignition Server Getting Started, NN47280–300.
• Install the Ignition Dashboard on your Windows OS.
• Configure each authenticator (switch) to recognize the Ignition Server appliance as its
TACACS+ server.
• Configure your switch to send packets to the Ignition Server appliance with the appropriate IP
address and port.
• Ensure licenses are up-to-date.
Procedure
1. If the Ignition Server Dashboard is not connected to your Ignition Server, select
Administration: Login to connect.
a. The default login credentials for User Name and Password are admin/admin. You
are recommended to change the default values.
b. In the Connect to field enter the IP address of the Ignition Server for TACACS+. In
this example, the IP address for the TACACS+ server is 192.0.2.8.
2. Enable TACACS+.
a. In the Ignition Server Dashboard, select Site 0.
b. In the Sites window, select the Services tab.
c. Under the Services tab, select the TACACS+ tab.
d. Click the Edit button in the TACACS+ tab.
e. In the Edit TACACS+ Configuration dialog box, select the Protocol is enabled box.
f. In the Bound Interface field, select Admin Port.
g. In the Port field, enter 49.
h. Select Accept Requests from Any Authenticator.
Select this option if you want to create a global TACACS+ authenticator that sets
policy for all authenticators that do not match a specific TACACS+-enabled
authentication in your Ignition Server configuration.
December 2017
Configuring Security on VOSS
427
TACACS+
i. In the Access Policy field, select default-tacacs-admin.
Use this configuration in the case of a global TACACS+ authenticator. Choose your
global TACACS+ policy that you want applied if the device finds no better matching
authenticator.
j. In TACACS+ Shared Secret field, enter the secret that the switch and TACACS+
Ignition Server share. In this example, the shared secret is secret.
k. Click OK.
3. Configure a user recognized by the TACACS + server.
a. In the Ignition Server Dashboard, expand the following in the Configuration tree: Site
Configuration > Directories > Internal Store > Internal Users.
b. Click New.
c. Fill in the appropriate fields.
As an example:
User Name: jsmith
First Name: John
Last Name: Smith
Password: test
Confirm password: test
4. If your TACACS+ policy uses per-command authorization, create a command set.
a. In the Ignition Server Dashboard, expand the following in the Configuration tree: Site
Configuration > Access Policies > TACACS+.
b. Click Define Command Sets.
c. Click New.
d. In the New Device Command Set window, type a Name and Description for the
command set; for instance, level5.
In this window you build your command set by adding commands to the list. You can
build the command list manually or you can import a list. For more information on
importing a command list, see Identity Engines Ignition Server Administration,
NN47280–600.
e. To manually add the commands, click Add in the New/Edit Device Command Set
window.
f. Click the Simple Command Using Keywords and Arguments box.
g. In the Command field, type the command, and optionally its arguments.
h. To allow the command to be used with any argument, select the Allow box.
i. To allow only the specific command and arguments you have types, tick the Deny
box.
December 2017
Configuring Security on VOSS
428
TACACS+ configuration examples
j. Click OK to add the command to the list.
k. Continue to add the commands that you want.
5. If your TACACS+ policy uses privilege-level authorization, create the TACACS+ access
policy to allow the TACACS+ Ignition Server to communicate with the switch.
a. In the Ignition Server Dashboard, expand the following in the Configuration tree: Site
Configuration > Access Policies > TACACS+.
b. Select default-tacacs-admin.
c. Click on the Authorization Policy tab and select the name of the policy you want to
edit.
d. Click Edit and the Edit Authorization Policy window appears.
e. In the Rules section, select the rule you want to edit. In this case select level5, to
which you have already added commands.
The Rules list at the left lets you browse and sort the rules in your policy. Use the up
and down arrow buttons at the right to set the rule sequence, and click a rule name in
the list to edit that rule. The Selected Rule Details section lets you edit the rule you
have selected.
f. In the Selected Rule Details section, under Rule Name, for this example, it reads
level5.
g. Select Rule Enabled.
h. With level5 selected in the Rules list, go to the buttons to the right of the Constraint
list and click New.
i. In the Action section, select Allow.
j. Select the Command Sets tab, in the Action section. Allow Commands in Set should
read level-5, in this example, and under All Command Sets all the commands that are
accessible under level5 should be listed.
k. Click OK.
For this example to function properly, the summary window must display:
IF User: user-id = level5 THEN Allow
Permit commands in Command Set: level-5
6. Configure the Ignition Server to connect to authenticators, which is the switch:
a. In the Ignition Server Dashboard, expand the following folders: Site Configuration >
Authenticators > default and the Authenticator Summary window appears.
b. Click New, and the Authenticator Details window appears.
c. For this example, type VSPswitch under name.
d. To the right select Enable Authenticator.
e. Type the IP address for the switch, which is the authenticator. Use the primary CPU
address or the management virtual address.
December 2017
Configuring Security on VOSS
429
TACACS+
f. In the Vendor field, select Nortel.
g. In the Device template field, select ers-switches-nortel.
h. Select the TACACS+ Settings tab.
i. Select Enable TACACS+ Access.
j. In the TACACS+ Shared Secret field, type the key value you entered into the switch.
In this example, the key is the word secret.
To connect using TACACS+, you must use the shared secret for each device. In your
switch documentation, the shared secret can also be referred to as a specific key
string or an encryption string.
k. Under Access Policy, select default-tacacs-user.
l. Click OK.
December 2017
Configuring Security on VOSS
430
Glossary
American Standard
Code for Information
Interchange (ASCII)
A code to represent characters in computers. ASCII uses uppercase and
lowercase alphabetic letters, numeric digits, and special symbols.
authentication server
A RADIUS server that provides authorization services to the
authenticator, which is software that authorizes or rejects a supplicant
attached to the other end of the LAN segment.
Authentication,
Authorization, and
Accounting (AAA)
Authentication, Authorization, and Accounting (AAA) is a framework used
to control access to a network, limit network services to certain users, and
track what users do. Authentication determines who a user is before
allowing the user to access the network and network services.
Authorization allows you to determine what you allow a user to do.
Accounting records what a user is doing or has done.
Challenge
Handshake
Authentication
Protocol (CHAP)
An access protocol that exchanges a random value between the server
and the client and is encrypted with a challenge password.
controlled port
In relation to EAPoL, any port on the device with EAPoL enabled.
daemon/server
A daemon is a program that services network requests for authentication
and authorization, verifies identities, grants or denies authorizations, and
logs accounting records.
Data Encryption
Standard
(DES)access control
entry (ACE)
A cryptographic algorithm that protects unclassified computer data. The
National Institute of Standards and Technology publishes the DES in the
Federal Information Processing Standard Publication 46-1.
Global routing
engine (GRE)
The base router or routing instance 0 in the Virtual Routing and
Forwarding (VRF).
Institute of Electrical
and Electronics
Engineers (IEEE)
An international professional society that issues standards and is a
member of the American National Standards Institute, the International
Standards Institute, and the International Standards Organization.
December 2017
Configuring Security on VOSS
431
Glossary
Internet Engineering
Task Force (IETF)
A standards organization for IP data networks.
Layer 2
Layer 2 is the Data Link Layer of the OSI model. Examples of Layer 2
protocols are Ethernet and Frame Relay.
Layer 3
Layer 3 is the Network Layer of the OSI model. An example of a Layer 3
protocol is Internet Protocol (IP).
Local Area Network
(LAN)
A data communications system that lies within a limited spatial area, uses
a specific user group and topology, and can connect to a public switched
telecommunications network (but is not one).
management
information base
(MIB)
The MIB defines system operations and parameters used for the Simple
Network Management Protocol (SNMP).
mask
A bit string that the device uses along with an IP address to indicate the
number of leading bits in the address that correspond with the network
part.
Media Access
Control (MAC)
Arbitrates access to and from a shared medium.
Message Digest 5
(MD5)
A one-way hash function that creates a message digest for digital
signatures.
MultiLink Trunking
(MLT)
A method of link aggregation that uses multiple Ethernet trunks
aggregated to provide a single logical trunk. A multilink trunk provides the
combined bandwidth of multiple links and the physical layer protection
against the failure of a single link.
network access
server (NAS)
A network access server (NAS) is a single point of access to a remote
device. The NAS acts as a gateway to guard the remote device. A client
connects to the NAS and then the NAS connects to another device to
verify the credentials of the client. Once verified the NAS allows or
disallows access to the device. Network access servers are almost
exclusively used with Authentication, Authorization, and Accounting
(AAA) servers.
next hop
The next hop to which a packet can be sent to advance the packet to the
destination.
Point-to-Point
Protocol (PPP)
Point-to-Point Protocol is a basic protocol at the data link layer that
provides its own authentication protocols, with no authorization stage.
PPP is often used to form a direct connection between two networking
nodes.
port
A physical interface that transmits and receives data.
December 2017
Configuring Security on VOSS
432
Port Access Entity (PAE)
Port Access Entity
(PAE)
Software that controls each port on the switch. The PAE, which resides on
the device, supports authenticator functionality. The PAE works with the
Extensible Authentication Protocol over LAN (EAPoL).
Protocol Data Units
(PDUs)
A unit of data that is specified in a protocol of a specific layer and that
consists of protocol-control information of the specific layer and possibly
user data of that layer.
quality of service
(QoS)
QoS features reserve resources in a congested network, allowing you to
configure a higher priority for certain devices. For example, you can
configure a higher priority for IP deskphones, which need a fixed bit rate
and split the remaining bandwidth between data connections if calls in the
network are more important than the file transfers.
Read Write All (RWA)
An access class that lets users access all menu items and editable fields.
remote login (rlogin)
An application that provides a terminal interface between hosts (usually
UNIX) that use the TCP/IP network protocol. Unlike Telnet, rlogin
assumes the remote host is, or behaves like, a UNIX host.
Routing Information
Protocol (RIP)
A distance vector protocol in the IP suite, used by IP network-layer
protocol, that enables routers in the same AS to exchange routing
information by means of periodic updates. You often use RIP as a very
simple interior gateway protocol (IGP) within small networks.
Secure Copy (SCP)
Secure Copy securely transfers files between the switch and a remote
station.
Simple Network
Management
Protocol (SNMP)
SNMP administratively monitors network performance through agents
and management stations.
supplicant
A device, such as a PC, that applies for access to the network.
User Datagram
Protocol (UDP)
In TCP/IP, a packet-level protocol built directly on the Internet Protocol
layer. TCP/IP host systems use UDP for application-to-application
programs.
user-based policies
(UBP)
Establishes and enforces roles and conditions on an individual user basis
for access ports in the network.
view-based access
control model
(VACM)
Provides context, group access, and group security levels based on a
predefined subset of management information base (MIB) objects.
virtual router
forwarding (VRF)
Provides traffic isolation between customers operating over the same
node. Each virtual router emulates the behavior of a dedicated hardware
router by providing separate routing functionality, and the network treats
each VRF as a separate physical router.
December 2017
Configuring Security on VOSS
433