-
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst3850 Switches)First Published: --
Last Modified: --
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883
Text Part Number: OL-32606-01
-
2014 Cisco Systems, Inc. All rights reserved.
-
C O N T E N T S
P r e f a c e Preface xxiii
Audience xxiii
Document Organization xxiii
Document Conventions xxv
Related Documentation xxvi
Changes to This Document xxvi
Obtaining Documentation and Submitting a Service Request xxvii
C H A P T E R 1 Using the Command-Line Interface 1
Information About Using the Command-Line Interface 1
Command Modes 1
Understanding Abbreviated Commands 3
No and Default Forms of Commands 3
CLI Error Messages 4
Configuration Logging 4
Using the Help System 4
How to Use the CLI to Configure Features 6
Configuring the Command History 6
Changing the Command History Buffer Size 6
Recalling Commands 6
Disabling the Command History Feature 7
Enabling and Disabling Editing Features 7
Editing Commands Through Keystrokes 8
Editing Command Lines That Wrap 9
Searching and Filtering Output of show and more Commands 10
Accessing the CLI on a Switch Stack 11
Accessing the CLI Through a Console Connection or Through Telnet 11
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 iii
-
C H A P T E R 2 Preventing Unauthorized Access 13
Finding Feature Information 13
Preventing Unauthorized Access 13
C H A P T E R 3 Preventing Unauthorized Access 15
Finding Feature Information 15
Preventing Unauthorized Access 15
C H A P T E R 4 Controlling Switch Access with Passwords and Privilege Levels 17
Finding Feature Information 17
Restrictions for Controlling Switch Access with Passwords and Privileges 17
Information About Passwords and Privilege Levels 18
Default Password and Privilege Level Configuration 18
Additional Password Security 18
Password Recovery 19
Terminal Line Telnet Configuration 19
Username and Password Pairs 19
Privilege Levels 20
How to Control Switch Access with Passwords and Privilege Levels 20
Setting or Changing a Static Enable Password 20
Protecting Enable and Enable Secret Passwords with Encryption 22
Disabling Password Recovery 24
Setting a Telnet Password for a Terminal Line 25
Configuring Username and Password Pairs 27
Setting the Privilege Level for a Command 29
Changing the Default Privilege Level for Lines 31
Logging into and Exiting a Privilege Level 32
Monitoring Switch Access 33
Configuration Examples for Setting Passwords and Privilege Levels 33
Example: Setting or Changing a Static Enable Password 33
Example: Protecting Enable and Enable Secret Passwords with Encryption 33
Example: Setting a Telnet Password for a Terminal Line 34
Example: Setting the Privilege Level for a Command 34
Additional References 34
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)iv OL-32606-01
Contents
-
C H A P T E R 5 Configuring TACACS+ 37
Finding Feature Information 37
Prerequisites for TACACS+ 37
Information About TACACS+ 39
TACACS+ and Switch Access 39
TACACS+ Overview 39
TACACS+ Operation 41
Method List 42
TACACS+ Configuration Options 42
TACACS+ Login Authentication 42
TACACS+ Authorization for Privileged EXEC Access and Network Services 42
TACACS+ Accounting 43
Default TACACS+ Configuration 43
How to Configure Switch Access with TACACS+ 43
Identifying the TACACS+ Server Host and Setting the Authentication Key 43
Configuring TACACS+ Login Authentication 45
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 48
Starting TACACS+ Accounting 50
Establishing a Session with a Router if the AAA Server is Unreachable 51
Monitoring TACACS+ 52
Additional References for Configuring Secure Shell 52
Feature Information for TACACS+ 53
C H A P T E R 6 Configuring RADIUS 55
Finding Feature Information 55
Prerequisites for Configuring RADIUS 55
Restrictions for Configuring RADIUS 56
Information about RADIUS 57
RADIUS and Switch Access 57
RADIUS Overview 57
RADIUS Operation 58
RADIUS Change of Authorization 59
Change-of-Authorization Requests 60
RFC 5176 Compliance 61
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 v
Contents
-
Preconditions 62
CoA Request Response Code 62
Session Identification 62
CoA ACK Response Code 63
CoA NAK Response Code 63
CoA Request Commands 63
Session Reauthentication 64
Session Reauthentication in a Switch Stack 64
Session Termination 65
CoA Disconnect-Request 65
CoA Request: Disable Host Port 65
CoA Request: Bounce-Port 66
Stacking Guidelines for Session Termination 66
Stacking Guidelines for CoA-Request Bounce-Port 66
Stacking Guidelines for CoA-Request Disable-Port 67
Default RADIUS Configuration 67
RADIUS Server Host 67
RADIUS Login Authentication 68
AAA Server Groups 68
AAA Authorization 69
RADIUS Accounting 69
Vendor-Specific RADIUS Attributes 69
Vendor-Proprietary RADIUS Server Communication 81
How to Configure RADIUS 81
Identifying the RADIUS Server Host 81
Configuring RADIUS Login Authentication 84
Defining AAA Server Groups 86
Configuring RADIUS Authorization for User Privileged Access and Network Services 88
Starting RADIUS Accounting 90
Establishing a Session with a Router if the AAA Server is Unreachable 92
Configuring Settings for All RADIUS Servers 92
Configuring the Switch to Use Vendor-Specific RADIUS Attributes 93
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 95
Configuring CoA on the Switch 96
Configuring RADIUS Server Load Balancing 99
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)vi OL-32606-01
Contents
-
Monitoring CoA Functionality 99
Configuration Examples for Controlling Switch Access with RADIUS 100
Examples: Identifying the RADIUS Server Host 100
Example: Using Two Different RADIUS Group Servers 100
Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 101
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 101
Additional References for Configuring Secure Shell 101
Feature Information for RADIUS 103
C H A P T E R 7 Configuring Kerberos 105
Finding Feature Information 105
Prerequisites for Controlling Switch Access with Kerberos 105
Restrictions for Controlling Switch Access with Kerberos 106
Information about Kerberos 106
Kerberos and Switch Access 106
Kerberos Overview 106
Kerberos Operation 109
Authenticating to a Boundary Switch 109
Obtaining a TGT from a KDC 110
Authenticating to Network Services 110
How to Configure Kerberos 110
Monitoring the Kerberos Configuration 110
Additional References 111
Feature Information for Kerberos 112
C H A P T E R 8 Configuring Local Authentication and Authorization 113
Finding Feature Information 113
How to Configure Local Authentication and Authorization 113
Configuring the Switch for Local Authentication and Authorization 113
Monitoring Local Authentication and Authorization 116
Additional References 116
Feature Information for Local Authentication and Authorization 117
C H A P T E R 9 Configuring Secure Shell (SSH) 119
Finding Feature Information 119
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 vii
Contents
-
Prerequisites for Configuring Secure Shell 119
Restrictions for Configuring Secure Shell 120
Information About Configuring Secure Shell 120
SSH and Switch Access 121
SSH Servers, Integrated Clients, and Supported Versions 121
SSH Configuration Guidelines 121
Secure Copy Protocol Overview 122
Secure Copy Protocol 122
How to Configure SSH 123
Setting Up the Switch to Run SSH 123
Configuring the SSH Server 124
Monitoring the SSH Configuration and Status 127
Additional References for Configuring Secure Shell 127
Feature Information for Configuring Secure Shell 128
C H A P T E R 1 0 Configuring Secure Socket Layer HTTP 129
Finding Feature Information 129
Information about Secure Sockets Layer (SSL) HTTP 129
Secure HTTP Servers and Clients Overview 129
Certificate Authority Trustpoints 130
CipherSuites 131
Default SSL Configuration 132
SSL Configuration Guidelines 133
How to Configure Secure HTTP Servers and Clients 133
Configuring a CA Trustpoint 133
Configuring the Secure HTTP Server 135
Configuring the Secure HTTP Client 139
Monitoring Secure HTTP Server and Client Status 140
Additional References for Configuring Secure Shell 141
Feature Information for Secure Socket Layer HTTP 142
C H A P T E R 1 1 Configuring IPv4 ACLs 143
Finding Feature Information 143
Prerequisites for Configuring IPv4 Access Control Lists 143
Restrictions for Configuring IPv4 Access Control Lists 144
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)viii OL-32606-01
Contents
-
Information about Network Security with ACLs 145
Cisco TrustSec and ACLs 145
ACL Overview 145
Access Control Entries 146
ACL Supported Types 146
Supported ACLs 146
ACL Precedence 146
Port ACLs 147
Router ACLs 148
VLAN Maps 149
ACEs and Fragmented and Unfragmented Traffic 149
ACEs and Fragmented and Unfragmented Traffic Examples 150
ACLs and Switch Stacks 150
Active Switch and ACL Functions 151
Stack Member and ACL Functions 151
Active Switch Failure and ACLs 151
Standard and Extended IPv4 ACLs 151
IPv4 ACL Switch Unsupported Features 151
Access List Numbers 152
Numbered Standard IPv4 ACLs 153
Numbered Extended IPv4 ACLs 153
Named IPv4 ACLs 154
ACL Logging 154
Smart Logging 155
Hardware and Software Treatment of IP ACLs 155
VLAN Map Configuration Guidelines 155
VLAN Maps with Router ACLs 156
VLAN Maps and Router ACL Configuration Guidelines 156
Time Ranges for ACLs 157
IPv4 ACL Interface Considerations 158
How to Configure ACLs 158
Configuring IPv4 ACLs 158
Creating a Numbered Standard ACL 159
Creating a Numbered Extended ACL 160
Creating Named Standard ACLs 164
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 ix
Contents
-
Creating Extended Named ACLs 165
Configuring Time Ranges for ACLs 167
Applying an IPv4 ACL to a Terminal Line 169
Applying an IPv4 ACL to an Interface 171
Creating Named MAC Extended ACLs 172
Applying a MAC ACL to a Layer 2 Interface 174
Configuring VLAN Maps 176
Creating a VLAN Map 178
Applying a VLAN Map to a VLAN 180
Configuring VACL Logging 181
Monitoring IPv4 ACLs 183
Configuration Examples for ACLs 184
Examples: Using Time Ranges with ACLs 184
Examples: Including Comments in ACLs 184
Examples: Troubleshooting ACLs 185
IPv4 ACL Configuration Examples 186
ACLs in a Small Networked Office 186
Examples: ACLs in a Small Networked Office 187
Example: Numbered ACLs 187
Examples: Extended ACLs 187
Examples: Named ACLs 188
Examples: Time Range Applied to an IP ACL 189
Examples: Configuring Commented IP ACL Entries 189
Examples: ACL Logging 190
Configuration Examples for ACLs and VLAN Maps 191
Example: Creating an ACL and a VLAN Map to Deny a Packet 191
Example: Creating an ACL and a VLAN Map to Permit a Packet 191
Example: Default Action of Dropping IP Packets and Forwarding MAC Packets 191
Example: Default Action of Dropping MAC Packets and Forwarding IP Packets 192
Example: Default Action of Dropping All Packets 192
Configuration Examples for Using VLAN Maps in Your Network 193
Example: Wiring Closet Configuration 193
Example: Restricting Access to a Server on Another VLAN 194
Example: Denying Access to a Server on Another VLAN 195
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 195
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)x OL-32606-01
Contents
-
Example: ACLs and Switched Packets 195
Example: ACLs and Bridged Packets 196
Example: ACLs and Routed Packets 197
Example: ACLs and Multicast Packets 197
Additional References 198
Feature Information for IPv4 Access Control Lists 199
C H A P T E R 1 2 Configuring IPv6 ACLs 201
Finding Feature Information 201
IPv6 ACLs Overview 201
Switch Stacks and IPv6 ACLs 202
Interactions with Other Features and Switches 202
Restrictions for IPv6 ACLs 203
Default Configuration for IPv6 ACLs 203
Configuring IPv6 ACLs 203
Attaching an IPv6 ACL to an Interface 207
Monitoring IPv6 ACLs 209
Additional References 210
C H A P T E R 1 3 Configuring DHCP 213
Finding Feature Information 213
Information About DHCP 213
DHCP Server 213
DHCP Relay Agent 213
DHCP Snooping 214
Option-82 Data Insertion 215
Cisco IOS DHCP Server Database 218
DHCP Snooping Binding Database 218
DHCP Snooping and Switch Stacks 220
How to Configure DHCP Features 220
Default DHCP Snooping Configuration 220
DHCP Snooping Configuration Guidelines 221
Configuring the DHCP Server 221
DHCP Server and Switch Stacks 221
Configuring the DHCP Relay Agent 221
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xi
Contents
-
Specifying the Packet Forwarding Address 223
Prerequisites for Configuring DHCP Snooping and Option 82 225
Enabling DHCP Snooping and Option 82 226
Enabling the Cisco IOS DHCP Server Database 230
Monitoring DHCP Snooping Information 230
Configuring DHCP Server Port-Based Address Allocation 230
Information About Configuring DHCP Server Port-Based Address Allocation 230
Default Port-Based Address Allocation Configuration 231
Port-Based Address Allocation Configuration Guidelines 231
Enabling the DHCP Snooping Binding Database Agent 231
Enabling DHCP Server Port-Based Address Allocation 233
Monitoring DHCP Server Port-Based Address Allocation 235
Additional References 235
Feature Information for DHCP Snooping and Option 82 236
C H A P T E R 1 4 Configuring IP Source Guard 239
Finding Feature Information 239
Information About IP Source Guard 239
IP Source Guard 239
IP Source Guard for Static Hosts 240
IP Source Guard Configuration Guidelines 241
How to Configure IP Source Guard 242
Enabling IP Source Guard 242
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 243
Monitoring IP Source Guard 245
Additional References 246
C H A P T E R 1 5 Configuring Dynamic ARP Inspection 247
Finding Feature Information 247
Restrictions for Dynamic ARP Inspection 247
Understanding Dynamic ARP Inspection 249
Interface Trust States and Network Security 250
Rate Limiting of ARP Packets 251
Relative Priority of ARP ACLs and DHCP Snooping Entries 252
Logging of Dropped Packets 252
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xii OL-32606-01
Contents
-
Default Dynamic ARP Inspection Configuration 252
Relative Priority of ARP ACLs and DHCP Snooping Entries 253
Configuring ARP ACLs for Non-DHCP Environments 253
Configuring Dynamic ARP Inspection in DHCP Environments 256
Limiting the Rate of Incoming ARP Packets 259
Performing Dynamic ARP Inspection Validation Checks 261
Monitoring DAI 263
Verifying the DAI Configuration 264
Additional References 264
C H A P T E R 1 6 Configuring IEEE 802.1x Port-Based Authentication 267
Finding Feature Information 267
Information About 802.1x Port-Based Authentication 267
Port-Based Authentication Process 268
Port-Based Authentication Initiation and Message Exchange 270
Authentication Manager for Port-Based Authentication 272
Port-Based Authentication Methods 272
Per-User ACLs and Filter-Ids 273
Port-Based Authentication Manager CLI Commands 274
Ports in Authorized and Unauthorized States 275
Port-Based Authentication and Switch Stacks 276
802.1x Host Mode 277
802.1x Multiple Authentication Mode 277
Multi-auth Per User VLAN assignment 278
Limitation in Multi-auth Per User VLAN assignment 279
MAC Move 280
MAC Replace 280
802.1x Accounting 281
802.1x Accounting Attribute-Value Pairs 281
802.1x Readiness Check 282
Switch-to-RADIUS-Server Communication 282
802.1x Authentication with VLAN Assignment 283
802.1x Authentication with Per-User ACLs 284
802.1x Authentication with Downloadable ACLs and Redirect URLs 285
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 287
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xiii
Contents
-
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 287
VLAN ID-based MAC Authentication 288
802.1x Authentication with Guest VLAN 288
802.1x Authentication with Restricted VLAN 289
802.1x Authentication with Inaccessible Authentication Bypass 290
Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 290
Inaccessible Authentication Bypass Authentication Results 291
Inaccessible Authentication Bypass Feature Interactions 291
802.1x Critical Voice VLAN 292
802.1x User Distribution 292
802.1x User Distribution Configuration Guidelines 293
IEEE 802.1x Authentication with Voice VLAN Ports 293
IEEE 802.1x Authentication with Port Security 294
IEEE 802.1x Authentication with Wake-on-LAN 294
IEEE 802.1x Authentication with MAC Authentication Bypass 295
Network Admission Control Layer 2 IEEE 802.1x Validation 296
Flexible Authentication Ordering 296
Open1x Authentication 297
Multidomain Authentication 297
Limiting Login for Users 299
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology
(NEAT) 299
Voice Aware 802.1x Security 300
Common Session ID 301
How to Configure 802.1x Port-Based Authentication 301
Default 802.1x Authentication Configuration 301
802.1x Authentication Configuration Guidelines 303
802.1x Authentication 303
VLANAssignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication
Bypass 304
MAC Authentication Bypass 305
Maximum Number of Allowed Devices Per Port 305
Configuring 802.1x Readiness Check 305
Configuring Voice Aware 802.1x Security 307
Configuring 802.1x Violation Modes 309
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xiv OL-32606-01
Contents
-
Configuring 802.1x Authentication 311
Configuring 802.1x Port-Based Authentication 312
Configuring the Switch-to-RADIUS-Server Communication 314
Configuring the Host Mode 316
Configuring Periodic Re-Authentication 317
Changing the Quiet Period 319
Changing the Switch-to-Client Retransmission Time 320
Setting the Switch-to-Client Frame-Retransmission Number 321
Setting the Re-Authentication Number 323
Enabling MAC Move 324
Enabling MAC Replace 325
Configuring 802.1x Accounting 327
Configuring a Guest VLAN 328
Configuring a Restricted VLAN 330
Configuring Number of Authentication Attempts on a Restricted VLAN 331
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 333
Example of Configuring Inaccessible Authentication Bypass 336
Configuring 802.1x Authentication with WoL 337
Configuring MAC Authentication Bypass 338
Configuring 802.1x User Distribution 339
Example of Configuring VLAN Groups 340
Configuring NAC Layer 2 802.1x Validation 341
Configuring Limiting Login for Users 343
Configuring an Authenticator Switch with NEAT 344
Configuring a Supplicant Switch with NEAT 346
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 349
Configuring Downloadable ACLs 349
Configuring a Downloadable Policy 351
Configuring VLAN ID-based MAC Authentication 354
Configuring Flexible Authentication Ordering 354
Configuring Open1x 356
Disabling 802.1x Authentication on the Port 358
Resetting the 802.1x Authentication Configuration to the Default Values 359
Monitoring 802.1x Statistics and Status 360
Additional References for IEEE 802.1x Port-Based Authentication 361
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xv
Contents
-
Feature Information for 802.1x Port-Based Authentication 362
C H A P T E R 1 7 Configuring Web-Based Authentication 363
Finding Feature Information 363
Web-Based Authentication Overview 363
Device Roles 365
Host Detection 365
Session Creation 366
Authentication Process 366
Local Web Authentication Banner 367
Web Authentication Customizable Web Pages 369
Guidelines 369
Authentication Proxy Web Page Guidelines 371
Redirection URL for Successful Login Guidelines 372
Web-based Authentication Interactions with Other Features 372
Port Security 372
LAN Port IP 372
Gateway IP 373
ACLs 373
Context-Based Access Control 373
EtherChannel 373
How to Configure Web-Based Authentication 373
Default Web-Based Authentication Configuration 373
Web-Based Authentication Configuration Guidelines and Restrictions 374
Web-Based Authentication Configuration Task List 375
Configuring the Authentication Rule and Interfaces 375
Configuring AAA Authentication 378
Configuring Switch-to-RADIUS-Server Communication 380
Configuring the HTTP Server 381
Customizing the Authentication Proxy Web Pages 383
Specifying a Redirection URL for Successful Login 384
Configuring the Web-Based Authentication Parameters 385
Configuring a Web-Based Authentication Local Banner 386
Configuring Web-Based Authentication without SVI 388
Configuring Web-Based Authentication with VRF Aware 389
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xvi OL-32606-01
Contents
-
Removing Web-Based Authentication Cache Entries 391
Monitoring Web-Based Authentication Status 391
Feature Information for Web-Based Authentication 392
C H A P T E R 1 8 Configuring Port-Based Traffic Control 393
Overview of Port-Based Traffic Control 394
Finding Feature Information 394
Information About Storm Control 394
Storm Control 394
How Traffic Activity is Measured 395
Traffic Patterns 395
How to Configure Storm Control 396
Configuring Storm Control and Threshold Levels 396
Configuring Small-Frame Arrival Rate 399
Finding Feature Information 401
Information About Protected Ports 401
Protected Ports 401
Default Protected Port Configuration 402
Protected Ports Guidelines 402
How to Configure Protected Ports 402
Configuring a Protected Port 402
Monitoring Protected Ports 404
Where to Go Next 404
Additional References 404
Feature Information 405
Finding Feature Information 405
Information About Port Blocking 405
Port Blocking 405
How to Configure Port Blocking 406
Blocking Flooded Traffic on an Interface 406
Monitoring Port Blocking 408
Where to Go Next 408
Additional References 408
Feature Information 409
Prerequisites for Port Security 409
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xvii
Contents
-
Restrictions for Port Security 410
Information About Port Security 410
Port Security 410
Types of Secure MAC Addresses 410
Sticky Secure MAC Addresses 410
Security Violations 411
Port Security Aging 412
Port Security and Switch Stacks 412
Default Port Security Configuration 413
Port Security Configuration Guidelines 413
Overview of Port-Based Traffic Control 414
How to Configure Port Security 415
Enabling and Configuring Port Security 415
Enabling and Configuring Port Security Aging 419
Finding Feature Information 421
Information About Storm Control 422
Storm Control 422
How Traffic Activity is Measured 422
Traffic Patterns 423
How to Configure Storm Control 423
Configuring Storm Control and Threshold Levels 423
Configuring Small-Frame Arrival Rate 426
Finding Feature Information 428
Information About Protected Ports 428
Protected Ports 428
Default Protected Port Configuration 429
Protected Ports Guidelines 429
How to Configure Protected Ports 429
Configuring a Protected Port 429
Monitoring Protected Ports 431
Where to Go Next 431
Additional References 431
Feature Information 432
Finding Feature Information 432
Information About Port Blocking 432
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xviii OL-32606-01
Contents
-
Port Blocking 432
How to Configure Port Blocking 433
Blocking Flooded Traffic on an Interface 433
Monitoring Port Blocking 435
Where to Go Next 435
Additional References 435
Feature Information 436
Configuration Examples for Port Security 436
Additional References 437
Finding Feature Information 438
Information About Protocol Storm Protection 438
Protocol Storm Protection 438
Default Protocol Storm Protection Configuration 439
How to Configure Protocol Storm Protection 439
Enabling Protocol Storm Protection 439
Monitoring Protocol Storm Protection 440
Additional References 441
C H A P T E R 1 9 Configuring IPv6 First Hop Security 443
Finding Feature Information 443
Prerequisites for First Hop Security in IPv6 443
Restrictions for First Hop Security in IPv6 444
Information about First Hop Security in IPv6 444
How to Configure an IPv6 Snooping Policy 446
How to Attach an IPv6 Snooping Policy to an Interface 448
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface 449
How to Attach an IPv6 Snooping Policy to VLANs Globally 450
How to Configure the IPv6 Binding Table Content 451
How to Configure an IPv6 Neighbor Discovery Inspection Policy 452
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface 454
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel
Interface 456
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally 457
How to Configure an IPv6 Router Advertisement Guard Policy 458
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 460
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xix
Contents
-
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel
Interface 461
How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally 462
How to Configure an IPv6 DHCP Guard Policy 463
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface 465
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface 467
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally 468
Additional References 469
C H A P T E R 2 0 Configuring Wireless Guest Access 471
Finding Feature Information 471
Prerequisites for Guest Access 471
Restrictions for Guess Access 472
Information about Wireless Guest Access 472
Fast Secure Roaming 472
How to Configure Guest Access 473
Creating a Lobby Administrator Account 473
Configuring Guest User Accounts 474
Configuring Mobility Agent (MA) 475
Configuring Mobility Controller 477
Obtaining a Web Authentication Certificate 478
Displaying a Web Authentication Certificate 479
Choosing the Default Web Authentication Login Page 479
Choosing a Customized Web Authentication Login Page from an External Web Server 481
Assigning Login, Login Failure, and Logout Pages per WLAN 483
Configuring AAA-Override 484
Configuring Client Load Balancing 485
Configuring Preauthentication ACL 486
Configuring IOS ACL Definition 487
Configuring Webpassthrough 488
Configuration Examples for Guest Access 489
Example: Creating a Lobby Ambassador Account 489
Example: Obtaining Web Authentication Certificate 489
Example: Displaying a Web Authentication Certificate 490
Example: Configuring Guest User Accounts 491
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xx OL-32606-01
Contents
-
Example: Configuring Mobility Controller 491
Example: Choosing the Default Web Authentication Login Page 492
Example: Choosing a CustomizedWeb Authentication Login Page from an IPv4 External Web
Server 493
Example: Assigning Login, Login Failure, and Logout Pages per WLAN 493
Example: Configuring AAA-Override 493
Example: Configuring Client Load Balancing 494
Example: Configuring Preauthentication ACL 494
Example: Configuring IOS ACL Definition 494
Example: Configuring Webpassthrough 494
Additional References for Guest Access 495
Feature History and Information for Guest Access 496
C H A P T E R 2 1 Configuring Intrusion Detection System 497
Finding Feature Information 497
Information About Intrusion Detection System 497
How to Configure Intrusion Detection System 498
Configuring IDS Sensors 498
Monitoring Intrusion Detection System 499
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxi
Contents
-
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxii OL-32606-01
Contents
-
Preface
This book describes configuration information and examples for security management on the switch.
Audience, page xxiii
Document Organization, page xxiii
Document Conventions, page xxv
Related Documentation, page xxvi
Changes to This Document, page xxvi
Obtaining Documentation and Submitting a Service Request, page xxvii
AudienceThis guide is for the networking professional managing the Catalyst 3850 switch, hereafter referred to as theswitch module. Before using this guide, you should have experience working with the Cisco IOS softwareand be familiar with the concepts and terminology of Ethernet and local area networking.
Document OrganizationThis document is organized into the following chapters:
Table 1: Document Organization
DescriptionTitleChapter
Describes how to use the Cisco IOS command lineinterface.
Using the Command-Line InterfaceChapter 1
Describes how to prevent unauthorized users fromreconfiguring your device and viewing configurationinformation.
Preventing Unauthorized AccessChapter 2
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxiii
-
DescriptionTitleChapter
Describes how to control switch access with passwordsand privilege levels.
Controlling Switch Access withPasswords and Privilege Levels
Chapter 3
Describes how to install, configure and troubleshootgeneral features for TACACS+.
Configuring TACACS+Chapter 4
Describes how to install, configure and troubleshootgeneral features for RADIUS.
Configuring RADIUSChapter 5
Describes how to install, configure and troubleshootgeneral features for Kerberos.
Configuring KerberosChapter 6
Describes how to install, configure and troubleshootgeneral features for Local Authentication andAuthorization.
Configuring Local Authenticationand Authorization
Chapter 7
Describes how to install, configure and troubleshootgeneral features for Secure Shell (SSH).
Configuring Secure Shell (SSH)Chapter 8
Describes how to install, configure and troubleshootgeneral features for Secure Socket Layer HTTP.
Configuring Secure Socket LayerHTTP
Chapter 9
Describes how to install, configure and troubleshootgeneral features for IPv4 ACLs.
Configuring IPv4 ACLsChapter 10
Describes how to install, configure and troubleshootgeneral features for IPv6 ACLs.
Configuring IPv6 ACLsChapter 11
Describes how to install, configure and troubleshootgeneral features for DHCP Snooping and Option 82.
Configuring DHCPChapter 12
Describes how to install, configure and troubleshootgeneral features for IP Source Guard.
Configuring IP Source GuardChapter 13
Describes hot to configure and monitor the DAI feature.Configuring Dynamic ARPInspection
Chapter 14
Describes how to install, configure and troubleshootgeneral features for IEEE 802.1x Port-BasedAuthentication.
Configuring IEEE 802.1xPort-Based Authentication
Chapter 15
Describes how to configure and troubleshoot WBA.Configuring Web-BasedAuthentication
Chapter 16
Describes how to configure and monitor variousport-based security features.
Configuring Port-Based TrafficControl
Chapter 17
Describes how to configure and monitor IPv6 policyfeatures.
Configuring IPv6 First HopSecurity
Chapter 18
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxiv OL-32606-01
PrefaceDocument Organization
-
DescriptionTitleChapter
Describes how to configure and monitor guest accesson the embedded wireless controller.
ConfiguringWireless Guest AccessChapter 19
Describes how to configure the switch to operate withthe Cisco IDS.
Configuring Intrusion DetectionSystem
Chapter 20
Index
Document ConventionsThis publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:
Commands and keywords are in boldface text.
Arguments for which you supply values are in italic.
Square brackets ([ ]) means optional elements.
Braces ({}) group required choices, and vertical bars ( | ) separate the alternative elements.
Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optionalelement.
Interactive examples use these conventions:
Terminal sessions and system displays are in screen font.
Information you enter is in boldface screen font
Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
Notes, cautions, and warnings use these conventions and symbols:
Means reader take note. Notes contain helpful suggestions or references to materials not contained in thismanual.
Note
Reader Alert Conventions
This document uses the following conventions for reader alerts:
Means reader take note. Notes contain helpful suggestions or references to material not covered in themanual.
Note
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxv
PrefaceDocument Conventions
-
Means the following information will help you solve a problem.Tip
Means reader be careful. In this situation, you might do something that could result in equipment damageor loss of data.
Caution
Means the described action saves time. You can save time by performing the action described in theparagraph.
Timesaver
Means reader be warned. In this situation, you might perform an action that could result in bodilyinjury.
Warning
Related Documentation
Before installing or upgrading the switch, refer to the switch release notes.Note
Cisco Catalyst 3850 Series Switches documentation, located at:http://www.cisco.com/go/cat3850_docs
Cisco SFP and SFP+ modules documentation, including compatibility matrixes, located at:http://www.cisco.com/en/US/products/hw/modules/ps5455/tsd_products_support_series_home.html
Cisco Validated Designs documents, located at:http://www.cisco.com/go/designzone
Changes to This DocumentThis table lists the technical changes made to this document since it was first printed.
Table 2: Changes to This Document
Change SummaryDateRevision
Initial release of this document.July 2012OL-xxxxx-01
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxvi OL-32606-01
PrefaceRelated Documentation
http://www.cisco.com/go/cat3850_docshttp://www.cisco.com/en/US/products/hw/modules/ps5455/tsd_products_support_series_home.htmlhttp://www.cisco.com/go/designzone
-
Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information,see the monthlyWhat's New in Cisco Product Documentation, which also lists all new and revised Ciscotechnical documentation, at:
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
Subscribe to theWhat's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feedand set content to be delivered directly to your desktop using a reader application. The RSS feeds are a freeservice and Cisco currently supports RSS version 2.0.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxvii
PrefaceObtaining Documentation and Submitting a Service Request
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
-
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxviii OL-32606-01
PrefaceObtaining Documentation and Submitting a Service Request
-
C H A P T E R 1Using the Command-Line Interface
Information About Using the Command-Line Interface, page 1
How to Use the CLI to Configure Features, page 6
Information About Using the Command-Line Interface
Command ModesThe Cisco IOS user interface is divided into many different modes. The commands available to you dependon whichmode you are currently in. Enter a questionmark (?) at the system prompt to obtain a list of commandsavailable for each command mode.
You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.
When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset ofthe commands are available in user EXECmode. For example, most of the user EXEC commands are one-timecommands, such as show commands, which show the current configuration status, and clear commands,which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.
To have access to all commands, youmust enter privileged EXECmode. Normally, youmust enter a passwordto enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enterglobal configuration mode.
Using the configurationmodes (global, interface, and line), you canmake changes to the running configuration.If you save the configuration, these commands are stored and used when the switch reboots. To access thevarious configuration modes, you must start at global configuration mode. From global configuration mode,you can enter interface configuration mode and line configuration mode .
This table describes the main command modes, how to access each one, the prompt you see in that mode, andhow to exit the mode.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 1
-
Table 3: Command Mode Summary
About This ModeExit MethodPromptAccess MethodMode
Use this mode to
Changeterminalsettings.
Perform basictests.
Display systeminformation.
Enter logout orquit.Switch>
Begin a sessionusing Telnet, SSH,or console.
User EXEC
Use this mode toverify commandsthat you haveentered. Use apassword to protectaccess to this mode.
Enter disableto exit.Switch#
While in userEXEC mode, enterthe enablecommand.
Privileged EXEC
Use this mode toconfigure parametersthat apply to theentire switch.
To exit toprivilegedEXEC mode,enter exit orend, or pressCtrl-Z.
Switch(config)#While in privilegedEXEC mode, enterthe configurecommand.
Globalconfiguration
Use this mode toconfigure VLANparameters. WhenVTP mode istransparent, you cancreateextended-rangeVLANs (VLAN IDsgreater than 1005)and saveconfigurations in theswitch startupconfiguration file.
To exit toglobalconfigurationmode, enter theexit command.
To return toprivilegedEXEC mode,pressCtrl-Z orenter end.
Switch(config-vlan)#While in globalconfigurationmode, enter thevlan vlan-idcommand.
VLANconfiguration
Use this mode toconfigure parametersfor the Ethernetports.
Switch(config-if)#While in globalconfigurationmode, enter theinterface command(with a specificinterface).
Interfaceconfiguration
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)2 OL-32606-01
Using the Command-Line InterfaceCommand Modes
-
About This ModeExit MethodPromptAccess MethodMode
To exit toglobalconfigurationmode, enterexit.
To return toprivilegedEXEC mode,pressCtrl-Z orenter end.
Use this mode toconfigure parametersfor the terminal line.
To exit toglobalconfigurationmode, enterexit.
To return toprivilegedEXEC mode,pressCtrl-Z orenter end.
Switch(config-line)#While in globalconfigurationmode, specify a linewith the line vty orline consolecommand.
Line configuration
Understanding Abbreviated CommandsYou need to enter only enough characters for the switch to recognize the command as unique.
This example shows how to enter the show configuration privileged EXEC command in an abbreviated form:
Switch# show conf
No and Default Forms of CommandsAlmost every configuration command also has a no form. In general, use the no form to disable a feature orfunction or reverse the action of a command. For example, the no shutdown interface configuration commandreverses the shutdown of an interface. Use the command without the keyword no to reenable a disabled featureor to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the commandsetting to its default. Most commands are disabled by default, so the default form is the same as the no form.However, some commands are enabled by default and have variables set to certain default values. In thesecases, the default command enables the command and sets variables to their default values.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 3
Using the Command-Line InterfaceUnderstanding Abbreviated Commands
-
CLI Error MessagesThis table lists some error messages that you might encounter while using the CLI to configure your switch.
Table 4: Common CLI Error Messages
How to Get HelpMeaningError Message
Reenter the command followed bya question mark (?) without anyspace between the command andthe question mark.
The possible keywords that you canenter with the command appear.
You did not enter enoughcharacters for your switch torecognize the command.
% Ambiguous command: "showcon"
Reenter the command followed bya question mark (?) with a spacebetween the command and thequestion mark.
The possible keywords that you canenter with the command appear.
You did not enter all of thekeywords or values required by thiscommand.
% Incomplete command.
Enter a questionmark (?) to displayall of the commands that areavailable in this command mode.
The possible keywords that you canenter with the command appear.
You entered the commandincorrectly. The caret (^) marks thepoint of the error.
% Invalid input detected at^ marker.
Configuration LoggingYou can log and view changes to the switch configuration. You can use the Configuration Change Loggingand Notification feature to track changes on a per-session and per-user basis. The logger tracks eachconfiguration command that is applied, the user who entered the command, the time that the command wasentered, and the parser return code for the command. This feature includes a mechanism for asynchronousnotification to registered applications whenever the configuration changes. You can choose to have thenotifications sent to the syslog.
Only CLI or HTTP changes are logged.Note
Using the Help SystemYou can enter a question mark (?) at the system prompt to display a list of commands available for eachcommand mode. You can also obtain a list of associated keywords and arguments for any command.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)4 OL-32606-01
Using the Command-Line InterfaceCLI Error Messages
-
SUMMARY STEPS
1. help2. abbreviated-command-entry ?3. abbreviated-command-entry 4. ?5. command ?6. command keyword ?
DETAILED STEPS
PurposeCommand or Action
Obtains a brief description of the help system in anycommand mode.
help
Example:Switch# help
Step 1
Obtains a list of commands that begin with a particularcharacter string.
abbreviated-command-entry ?
Example:Switch# di?dir disable disconnect
Step 2
Completes a partial command name.abbreviated-command-entry
Example:Switch# sh confSwitch# show configuration
Step 3
Lists all commands available for a particular commandmode.
?
Example:Switch> ?
Step 4
Lists the associated keywords for a command.command ?
Example:Switch> show ?
Step 5
Lists the associated arguments for a keyword.command keyword ?
Example:Switch(config)# cdp holdtime ? Length of time (in sec) that receiver
Step 6
must keep this packet
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 5
Using the Command-Line InterfaceUsing the Help System
-
How to Use the CLI to Configure Features
Configuring the Command HistoryThe software provides a history or record of commands that you have entered. The command history featureis particularly useful for recalling long or complex commands or entries, including access lists. You cancustomize this feature to suit your needs.
Changing the Command History Buffer SizeBy default, the switch records ten command lines in its history buffer. You can alter this number for a currentterminal session or for all sessions on a particular line. This procedure is optional.
SUMMARY STEPS
1. terminal history [size number-of-lines]
DETAILED STEPS
PurposeCommand or Action
Changes the number of command lines that the switch records duringthe current terminal session in privileged EXEC mode. You canconfigure the size from 0 to 256.
terminal history [size number-of-lines]
Example:Switch# terminal history size 200
Step 1
Recalling CommandsTo recall commands from the history buffer, perform one of the actions listed in this table. These actions areoptional.
The arrow keys function only on ANSI-compatible terminals such as VT100s.Note
SUMMARY STEPS
1. Ctrl-P or use the up arrow key2. Ctrl-N or use the down arrow key3. show history
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)6 OL-32606-01
Using the Command-Line InterfaceHow to Use the CLI to Configure Features
-
DETAILED STEPS
PurposeCommand or Action
Recalls commands in the history buffer, beginningwith themost recent command.Repeat the key sequence to recall successively older commands.
Ctrl-P or use the up arrow keyStep 1
Returns to more recent commands in the history buffer after recalling commandswith Ctrl-P or the up arrow key. Repeat the key sequence to recall successivelymore recent commands.
Ctrl-N or use the down arrow keyStep 2
Lists the last several commands that you just entered in privileged EXEC mode.The number of commands that appear is controlled by the setting of the terminal
show history
Example:Switch# show history
Step 3
history global configuration command and the history line configurationcommand.
Disabling the Command History FeatureThe command history feature is automatically enabled. You can disable it for the current terminal session orfor the command line. This procedure is optional.
SUMMARY STEPS
1. terminal no history
DETAILED STEPS
PurposeCommand or Action
Disables the feature during the current terminal session inprivileged EXEC mode.
terminal no history
Example:Switch# terminal no history
Step 1
Enabling and Disabling Editing FeaturesAlthough enhanced editing mode is automatically enabled, you can disable it and reenable it.
SUMMARY STEPS
1. terminal editing2. terminal no editing
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 7
Using the Command-Line InterfaceEnabling and Disabling Editing Features
-
DETAILED STEPS
PurposeCommand or Action
Reenables the enhanced editing mode for the current terminalsession in privileged EXEC mode.
terminal editing
Example:Switch# terminal editing
Step 1
Disables the enhanced editing mode for the current terminalsession in privileged EXEC mode.
terminal no editing
Example:Switch# terminal no editing
Step 2
Editing Commands Through KeystrokesThe keystrokes help you to edit the command lines. These keystrokes are optional.
The arrow keys function only on ANSI-compatible terminals such as VT100s.Note
Table 5: Editing Commands
DescriptionEditing Commands
Moves the cursor back one character.Ctrl-B or use the left arrow key
Moves the cursor forward one character.Ctrl-F or use the right arrow key
Moves the cursor to the beginning of the commandline.
Ctrl-A
Moves the cursor to the end of the command line.Ctrl-E
Moves the cursor back one word.Esc B
Moves the cursor forward one word.Esc F
Transposes the character to the left of the cursor withthe character located at the cursor.
Ctrl-T
Erases the character to the left of the cursor.Delete or Backspace key
Deletes the character at the cursor.Ctrl-D
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)8 OL-32606-01
Using the Command-Line InterfaceEnabling and Disabling Editing Features
-
Deletes all characters from the cursor to the end ofthe command line.
Ctrl-K
Deletes all characters from the cursor to the beginningof the command line.
Ctrl-U or Ctrl-X
Deletes the word to the left of the cursor.Ctrl-W
Deletes from the cursor to the end of the word.Esc D
Capitalizes at the cursor.Esc C
Changes the word at the cursor to lowercase.Esc L
Capitalizes letters from the cursor to the end of theword.
Esc U
Designates a particular keystroke as an executablecommand, perhaps as a shortcut.
Ctrl-V or Esc Q
Scrolls down a line or screen on displays that arelonger than the terminal screen can display.
TheMore prompt is used for any output thathas more lines than can be displayed on theterminal screen, including show commandoutput. You can use the Return and Spacebar keystrokes whenever you see the Moreprompt.
Note
Return key
Scrolls down one screen.Space bar
Redisplays the current command line if the switchsuddenly sends a message to your screen.
Ctrl-L or Ctrl-R
Editing Command Lines That WrapYou can use a wraparound feature for commands that extend beyond a single line on the screen. When thecursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first tencharacters of the line, but you can scroll back and check the syntax at the beginning of the command. Thekeystroke actions are optional.
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You canalso press Ctrl-A to immediately move to the beginning of the line.
The arrow keys function only on ANSI-compatible terminals such as VT100s.Note
The following example shows how to wrap a command line that extends beyond a single line on the screen.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 9
Using the Command-Line InterfaceEnabling and Disabling Editing Features
-
SUMMARY STEPS
1. access-list2. Ctrl-A3. Return key
DETAILED STEPS
PurposeCommand or Action
Displays the global configuration command entry that extends beyondone line.
access-list
Example:
Switch(config)# access-list 101 permit tcp
Step 1
When the cursor first reaches the end of the line, the line is shifted tenspaces to the left and redisplayed. The dollar sign ($) shows that theline has been scrolled to the left. Each time the cursor reaches the endof the line, the line is again shifted ten spaces to the left.
10.15.22.25 255.255.255.0 10.15.22.35Switch(config)# $ 101 permit tcp10.15.22.25 255.255.255.0 10.15.22.35255.25Switch(config)# $t tcp 10.15.22.25255.255.255.0 131.108.1.20 255.255.255.0eqSwitch(config)# $15.22.25 255.255.255.010.15.22.35 255.255.255.0 eq 45
Checks the complete syntax.Ctrl-AStep 2
Example:Switch(config)# access-list 101 permit tcp10.15.22.25 255.255.255.0 10.15.2$
The dollar sign ($) appears at the end of the line to show that the linehas been scrolled to the right.
Execute the commands.Return keyStep 3
The software assumes that you have a terminal screen that is 80 columnswide. If you have a different width, use the terminal width privilegedEXEC command to set the width of your terminal.
Use line wrapping with the command history feature to recall andmodify previous complex command entries.
Searching and Filtering Output of show and more CommandsYou can search and filter the output for show andmore commands. This is useful when you need to sortthrough large amounts of output or if you want to exclude output that you do not need to see. Using thesecommands is optional.
SUMMARY STEPS
1. {show |more} command | {begin | include | exclude} regular-expression
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)10 OL-32606-01
Using the Command-Line InterfaceSearching and Filtering Output of show and more Commands
-
DETAILED STEPS
PurposeCommand or Action
Searches and filters the output.{show |more} command | {begin | include | exclude}regular-expression
Step 1
Expressions are case sensitive. For example, if you enter| exclude output, the lines that contain output are notdisplayed, but the lines that contain output appear.Example:
Switch# show interfaces | include protocolVlan1 is up, line protocol is upVlan10 is up, line protocol is downGigabitEthernet1/0/1 is up, line protocol is downGigabitEthernet1/0/2 is up, line protocol is up
Accessing the CLI on a Switch StackYou can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.
You manage the switch stack and the stack member interfaces through the active switch. You cannot managestack members on an individual switch basis. You can connect to the active switch through the console portor the Ethernet management port of one or more stack members. Be careful with using multiple CLI sessionson the active switch. Commands that you enter in one session are not displayed in the other sessions. Therefore,it is possible to lose track of the session from which you entered commands.
We recommend using one CLI session when managing the switch stack.Note
If you want to configure a specific stack member port, you must include the stack member number in the CLIcommand interface notation.
To debug the standby switch, use the session standby ios privileged EXEC command from the active switchto access the IOS console of the standby switch. To debug a specific stack member, use the session switchstack-member-number privileged EXEC command from the active switch to access the diagnostic shell ofthe stack member. For more information about these commands, see the switch command reference.
Accessing the CLI Through a Console Connection or Through TelnetBefore you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC tothe Ethernet management port and then power on the switch, as described in the hardware installation guidethat shipped with your switch.
If your switch is already configured, you can access the CLI through a local console connection or through aremote Telnet session, but your switch must first be configured for this type of access.
You can use one of these methods to establish a connection with the switch:
Connect the switch console port to a management station or dial-up modem, or connect the Ethernetmanagement port to a PC. For information about connecting to the console or Ethernet managementport, see the switch hardware installation guide.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 11
Using the Command-Line InterfaceAccessing the CLI on a Switch Stack
-
Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.The switch must have network connectivity with the Telnet or SSH client, and the switch must have anenable secret password configured.
The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user arereflected in all other Telnet sessions.
The switch supports up to five simultaneous secure SSH sessions.
After you connect through the console port, through the Ethernet management port, through a Telnetsession or through an SSH session, the user EXEC prompt appears on the management station.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)12 OL-32606-01
Using the Command-Line InterfaceAccessing the CLI Through a Console Connection or Through Telnet
-
C H A P T E R 2Preventing Unauthorized Access
Finding Feature Information, page 13
Preventing Unauthorized Access, page 13
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.
Preventing Unauthorized AccessYou can prevent unauthorized users from reconfiguring your switch and viewing configuration information.Typically, you want network administrators to have access to your switch while you restrict access to userswho dial from outside the network through an asynchronous port, connect from outside the network througha serial port, or connect through a terminal or workstation from within the local network.
To prevent unauthorized access into your switch, you should configure one or more of these security features:
At a minimum, you should configure passwords and privileges at each switch port. These passwordsare locally stored on the switch. When users attempt to access the switch through a port or line, theymust enter the password specified for the port or line before they can access the switch.
For an additional layer of security, you can also configure username and password pairs, which arelocally stored on the switch. These pairs are assigned to lines or ports and authenticate each user beforethat user can access the switch. If you have defined privilege levels, you can also assign a specificprivilege level (with associated rights and privileges) to each username and password pair.
If you want to use username and password pairs, but you want to store them centrally on a server insteadof locally, you can store them in a database on a security server. Multiple networking devices can thenuse the same database to obtain user authentication (and, if necessary, authorization) information.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 13
http://www.cisco.com/go/cfn
-
You can also enable the login enhancements feature, which logs both failed and unsuccessful loginattempts. Login enhancements can also be configured to block future login attempts after a set numberof unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancementsdocumentation.
Related Topics
Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)14 OL-32606-01
Preventing Unauthorized AccessPreventing Unauthorized Access
-
C H A P T E R 3Preventing Unauthorized Access
Finding Feature Information, page 15
Preventing Unauthorized Access, page 15
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.
Preventing Unauthorized AccessYou can prevent unauthorized users from reconfiguring your switch and viewing configuration information.Typically, you want network administrators to have access to your switch while you restrict access to userswho dial from outside the network through an asynchronous port, connect from outside the network througha serial port, or connect through a terminal or workstation from within the local network.
To prevent unauthorized access into your switch, you should configure one or more of these security features:
At a minimum, you should configure passwords and privileges at each switch port. These passwordsare locally stored on the switch. When users attempt to access the switch through a port or line, theymust enter the password specified for the port or line before they can access the switch.
For an additional layer of security, you can also configure username and password pairs, which arelocally stored on the switch. These pairs are assigned to lines or ports and authenticate each user beforethat user can access the switch. If you have defined privilege levels, you can also assign a specificprivilege level (with associated rights and privileges) to each username and password pair.
If you want to use username and password pairs, but you want to store them centrally on a server insteadof locally, you can store them in a database on a security server. Multiple networking devices can thenuse the same database to obtain user authentication (and, if necessary, authorization) information.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 15
http://www.cisco.com/go/cfn
-
You can also enable the login enhancements feature, which logs both failed and unsuccessful loginattempts. Login enhancements can also be configured to block future login attempts after a set numberof unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancementsdocumentation.
Related Topics
Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)16 OL-32606-01
Preventing Unauthorized AccessPreventing Unauthorized Access
-
C H A P T E R 4Controlling Switch Access with Passwords andPrivilege Levels
Finding Feature Information, page 17
Restrictions for Controlling Switch Access with Passwords and Privileges, page 17
Information About Passwords and Privilege Levels, page 18
How to Control Switch Access with Passwords and Privilege Levels, page 20
Monitoring Switch Access, page 33
Configuration Examples for Setting Passwords and Privilege Levels, page 33
Additional References, page 34
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.
Restrictions for Controlling Switch Access with Passwordsand Privileges
The following are the restrictions for controlling switch access with passwords and privileges:
Disabling password recovery will not work if you have set the switch to boot up manually by using theboot manual global configuration command. This command produces the boot loader prompt (switch:)after the switch is power cycled.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 17
http://www.cisco.com/go/cfn
-
Related Topics
Disabling Password Recovery, on page 24Password Recovery, on page 19
Information About Passwords and Privilege Levels
Default Password and Privilege Level ConfigurationA simple way of providing terminal access control in your network is to use passwords and assign privilegelevels. Password protection restricts access to a network or network device. Privilege levels define whatcommands users can enter after they have logged into a network device.
This table shows the default password and privilege level configuration.
Table 6: Default Password and Privilege Levels
Default SettingFeature
No password is defined. The default is level 15(privileged EXEC level). The password is notencrypted in the configuration file.
Enable password and privilege level
No password is defined. The default is level 15(privileged EXEC level). The password is encryptedbefore it is written to the configuration file.
Enable secret password and privilege level
No password is defined.Line password
Additional Password SecurityTo provide an additional layer of security, particularly for passwords that cross the network or that are storedon a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secretglobal configuration commands. Both commands accomplish the same thing; that is, you can establish anencrypted password that users must enter to access privileged EXECmode (the default) or any privilege levelyou specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; thetwo commands cannot be in effect simultaneously.
If you enable password encryption, it applies to all passwords including username passwords, authenticationkey passwords, the privileged command password, and console and virtual terminal line passwords.
Related Topics
Protecting Enable and Enable Secret Passwords with Encryption, on page 22Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 33
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)18 OL-32606-01
Controlling Switch Access with Passwords and Privilege LevelsInformation About Passwords and Privilege Levels
-
Password RecoveryBy default, any end user with physical access to the switch can recover from a lost password by interruptingthe boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of thisfunctionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to setthe system back to the default configuration. With password recovery disabled, you can still interrupt the bootprocess and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)are deleted.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.
To re-enable password recovery, use the service password-recovery global configuration command.
Related Topics
Disabling Password Recovery, on page 24Restrictions for Controlling Switch Access with Passwords and Privileges, on page 17
Terminal Line Telnet ConfigurationWhen you power-up your switch for the first time, an automatic setup program runs to assign IP informationand to create a default configuration for continued use. The setup program also prompts you to configure yourswitch for Telnet access through a password. If you did not configure this password during the setup program,you can configure it when you set a Telnet password for a terminal line.
Related Topics
Setting a Telnet Password for a Terminal Line, on page 25Example: Setting a Telnet Password for a Terminal Line, on page 34
Username and Password PairsYou can configure username and password pairs, which are locally stored on the switch. These pairs areassigned to lines or ports and authenticate each user before that user can access the switch. If you have definedprivilege levels, you can also assign a specific privilege level (with associated rights and privileges) to eachusername and password pair.
Related Topics
Configuring Username and Password Pairs, on page 27
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 19
Controlling Switch Access with Passwords and Privilege LevelsPassword Recovery
-
Privilege LevelsCisco devices use privilege levels to provide password security for different levels of switch operation. Bydefault, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC(Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands foreach mode. By configuring multiple passwords, you can allow different sets of users to have access to specifiedcommands.
Privilege Levels on Lines
Users can override the privilege level you set using the privilege level line configuration command by loggingin to the line and enabling a different privilege level. They can lower the privilege level by using the disablecommand. If users know the password to a higher privilege level, they can use that password to enable thehigher privilege level. You might specify a high level or privilege level for your console line to restrict lineusage.
For example, if you want many users to have access to the clear line command, you can assign it level 2 securityand distribute the level 2 password fairly widely. But if you want more restricted access to the configurecommand, you can assign it level 3 security and distribute that password to a more restricted group of users.
Command Privilege Levels
When you set a command to a privilege level, all commands whose syntax is a subset of that command arealso set to that level. For example, if you set the show ip traffic command to level 15, the show commandsand show ip commands are automatically set to privilege level 15 unless you set them individually to differentlevels.
Related Topics
Setting the Privilege Level for a Command, on page 29Example: Setting the Privilege Level for a Command, on page 34Changing the Default Privilege Level for Lines, on page 31Logging into and Exiting a Privilege Level, on page 32
How to Control Switch Access with Passwords and PrivilegeLevels
Setting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Follow these steps to set or change astatic enable password:
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)20 OL-32606-01
Controlling Switch Access with Passwords and Privilege LevelsPrivilege Levels
-
SUMMARY STEPS
1. enable2. configure terminal3. enable password password4. end5. show running-config6. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enable
Example:
Switch> enable
Step 1
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Defines a new password or changes an existing password for access toprivileged EXEC mode.
enable password password
Example:
Switch(config)# enable password
Step 3
By default, no password is defined.
For password, specify a string from 1 to 25 alphanumeric characters. Thestring cannot start with a number, is case sensitive, and allows spaces butsecret321ignores leading spaces. It can contain the question mark (?) character ifyou precede the question mark with the key combination Crtl-v whenyou create the password; for example, to create the password abc?123,do this:
1 Enter abc.
2 Enter Crtl-v.
3 Enter ?123.
When the system prompts you to enter the enable password, you neednot precede the question mark with the Ctrl-v; you can simply enterabc?123 at the password prompt.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 21
Controlling Switch Access with Passwords and Privilege LevelsSetting or Changing a Static Enable Password
-
PurposeCommand or Action
Returns to privileged EXEC mode.end
Example:
Switch(config)# end
Step 4
Verifies your entries.show running-config
Example:
Switch# show running-config
Step 5
(Optional) Saves your entries in the configuration file.copy running-config startup-config
Example:
Switch# copy running-config
Step 6
startup-config
Related Topics
Example: Setting or Changing a Static Enable Password, on page 33
Protecting Enable and Enable Secret Passwords with EncryptionFollow these steps to establish an encrypted password that users must enter to access privileged EXEC mode(the default) or any privilege level you specify:
SUMMARY STEPS
1. enable2. configure terminal3. Use one of the following:
enable password [level level]{password | encryption-type encrypted-password}
enable secret [level level]{password | encryption-type encrypted-password}
4. service password-encryption5. end6. show running-config7. copy running-config startup-config
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)22 OL-32606-01
Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enable
Example:
Switch> enable
Step 1
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Use one of the following:Step 3 Defines a new password or changes an existing password foraccess to privileged EXEC mode.
enable password [level level]{password | encryption-typeencrypted-password}
Defines a secret password, which is saved using a nonreversibleencryption method.
(Optional) For level, the range is from 0 to 15. Level 1 isnormal user EXEC mode privileges. The default level is 15(privileged EXEC mode privileges).
enable secret [level level]{password | encryption-typeencrypted-password}
For password, specify a string from 1 to 25 alphanumericcharacters. The string cannot start with a number, is case
Example:Switch(config)# enable passwordexample102
sensitive, and allows spaces but ignores leading spaces. Bydefault, no password is defined.
(Optional) For encryption-type, only type 5, a Ciscoproprietary encryption algorithm, is available. If you specifyor
Switch(config)# enable secret level 1password secret123sample
an encryption type, you must provide an encryptedpasswordan encrypted password that you copy fromanother switch configuration.
If you specify an encryption type and then enter a cleartext password, you can not re-enter privileged EXECmode. You cannot recover a lost encrypted password byany method.
Note
(Optional) Encrypts the password when the password is defined orwhen the configuration is written.
service password-encryption
Example:
Switch(config)# service
Step 4
Encryption prevents the password from being readable in theconfiguration file.
password-encryption
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 23
Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption
-
PurposeCommand or Action
Returns to privileged EXEC mode.end
Example:
Switch(config)# end
Step 5
Verifies your entries.show running-config
Example:
Switch# show running-config
Step 6
(Optional) Saves your entries in the configuration file.copy running-config startup-config
Example:
Switch# copy running-config
Step 7
startup-config
Related Topics
Additional Password Security, on page 18
Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 33
Disabling Password RecoveryFollow these steps to disable password recovery to protect the security of your switch:
Before You Begin
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.
SUMMARY STEPS
1. enable2. configure terminal3. system disable password recovery switch {all | }4. end
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)24 OL-32606-01
Controlling Switch Access with Passwords and Privilege LevelsDisabling Password Recovery
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enable
Example:
Switch> enable
Step 1
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Disables password recovery.system disable password recovery switch {all| }
Step 3
all - Sets the configuration on switches in stack.
Example:
Switch(config)# system disable password
- Sets the configuration on the Switch Number selected.
This setting is saved in an area of the flash memory that is accessibleby the boot loader and the Cisco IOS image, but it is not part of thefile system and is not accessible by any user.
recovery switch all
Returns to privileged EXEC mode.end
Example:
Switch(config)# end
Step 4
What to Do Next
To remove disable password recovery, use the no system disable password recovery switch all globalconfiguration command.
Related Topics
Password Recovery, on page 19
Restrictions for Controlling Switch Access with Passwords and Privileges, on page 17
Setting a Telnet Password for a Terminal LineBeginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:
Before You Begin
Attach a PC or workstation with emulation software to the switch console port, or attach a PC to theEthernet management port.
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 25
Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line
-
The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to pressthe Return key several times to see the command-line prompt.
SUMMARY STEPS
1. enable2. configure terminal3. line vty 0 154. password password5. end6. show running-config7. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
If a password is required for access to privileged EXECmode, you will be prompted for it.
Note
Enters privileged EXEC mode.
enable
Example:
Switch> enable
Step 1
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Configures the number of Telnet sessions (lines), and enters lineconfiguration mode.
line vty 0 15
Example:
Switch(config)# line vty 0 15
Step 3
There are 16 possible sessions on a command-capable Switch. The0 and 15 mean that you are configuring all 16 possible Telnetsessions.
Sets a Telnet password for the line or lines.password passwordStep 4
Example:
Switch(config-line)# password abcxyz543
For password, specify a string from 1 to 25 alphanumeric characters.The string cannot start with a number, is case sensitive, and allowsspaces but ignores leading spaces. By default, no password isdefined.
Returns to privileged EXEC mode.end
Example:
Switch(config-line)# end
Step 5
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)26 OL-32606-01
Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line
-
PurposeCommand or Action
Verifies your entries.show running-config
Example:
Switch# show running-config
Step 6
(Optional) Saves your entries in the configuration file.copy running-config startup-config
Example:
Switch# copy running-config
Step 7
startup-config
Related Topics
Preventing Unauthorized Access, on page 13Preventing Unauthorized Access, on page 13Terminal Line Telnet Configuration, on page 19
Example: Setting a Telnet Password for a Terminal Line, on page 34
Configuring Username and Password PairsFollow these steps to configure username and password pairs:
SUMMARY STEPS
1. enable2. configure terminal3. username name [privilege level] {password encryption-type password}4. Use one of the following:
line console 0
line vty 0 15
5. login local6. end7. show running-config8. copy running-config startup-config
Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 27
Controlling Switch Access with Passwords and Privilege LevelsConfiguring Username and Password Pairs
-
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enable
Example:
Switch> enable
Step 1
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Sets the username, privilege level, and password for each user.username name [privilege level] {passwordencryption-type password}
Step 3
For name, specify the user ID as one word or the MAC address.Spaces and quotation marks are not allowed.
Example:
Switch(config)# username adamsample You can configure a maximum of 12000 clients each, for bothusername and MAC filter.privilege 1 password secret456
Switch(config)# username 111111111111mac attribute
(Optional) For level, specify the privilege level the user has aftergaining access. The range is 0 to 15. Level 15 gives privilegedEXEC mode access. Level 1 gives user EXEC mode access.
For encryption-type, enter 0 to specify that an unencryptedpassword will follow. Enter 7 to specify that a hidden passwordwill follow.
For password, specify the password the user must enter to gainaccess to the Switch. The password must be from 1 to 25characters, can contain embedded spaces, and must be the lastoption specified in the username command.
Enters line configuration mode, and configures the console port (line0) or the VTY lines (line 0 to 15).