Home » Cisco Manuals » Hubs & Switches » Cisco 2950 » Manual Viewer

Cisco 2950 Software Configuration Guide - Page 549

Applying Time Ranges to ACLs, Step 5

UPC - 746320454504

Add to My Manuals
Save this manual to your list of manuals

Page 549 highlights

Chapter 29 Configuring Network Security with ACLs Configuring ACLs Step 5 Step 6 Command show access-lists [number | name] copy running-config startup-config Purpose Show the access list configuration. (Optional) Save your entries in the configuration file. When making the standard and extended ACL, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACEs to a specific ACL. However, you can use no permit and no deny commands to remove ACEs from a named ACL. This example shows how you can delete individual ACEs from a named ACL: Switch(config)# ip access-list extended border-list Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. After creating an ACL, you must apply it to a line or interface, as described in the "Applying ACLs to Terminal Lines or Physical Interfaces" section on page 29-19. Applying Time Ranges to ACLs You can implement extended ACLs based on the time of day and week by using the time-range global configuration command. First, define the name and times of the day and week of the time range, and then reference the time range by name in an ACL to apply restrictions to the access list. You can use the time range to define when the permit or deny statements in the ACL are in effect. The time-range keyword and argument are referenced in the named and numbered extended ACL task tables in the "Creating Standard and Extended IP ACLs" section on page 29-7, and the "Creating Named Standard and Extended ACLs" section on page 29-13. These are some of the many benefits of using time ranges: • You have more control over permitting or denying a user access to resources, such as an application (identified by an IP address mask pair and a port number). • You can control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, you can simply deny access without having to analyze many logs generated during peak hours. Note The time range relies on the switch system clock. Therefore, you need a reliable clock source. We recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the "Managing the System Time and Date" section on page 8-1. Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Step 1 Step 2 Command configure terminal time-range time-range-name Purpose Enter global configuration mode. Identify the time-range by a meaningful name (for example, workhours), and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter. 78-11380-10 Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 29-15

Section	Page
Catalyst2950and Catalyst2955 Switch Software Configuration Guide	1
Contents	3
Preface	29
Audience	29
Purpose	29
Conventions	30
Related Publications	31
Obtaining Documentation	31
Cisco.com	31
Ordering Documentation	32
Documentation Feedback	32
Obtaining Technical Assistance	32
Cisco Technical Support Website	33
Submitting a Service Request	33
Definitions of Service Request Severity	33
Obtaining Additional Publications and Information	34
Overview	35
Features	35
Management Options	42
Management Interface Options	42
Advantages of Using CMS and Clustering Switches	43
Network Configuration Examples	44
Design Concepts for Using the Switch	44
Small to Medium-Sized Network Configuration	47
Collapsed Backbone and Switch Cluster Configuration	48
Hotel Network Configuration	49
Service-Provider Central-Office Configuration	52
Large Campus Configuration	53
Multidwelling Network Using Catalyst 2950 Switches	54
Long-Distance, High-Bandwidth Transport Configuration	56
Where to Go Next	56
Using the Command-Line Interface	57
Cisco IOS Command Modes	57
Getting Help	59
Abbreviating Commands	60
Using no and default Forms of Commands	60
Understanding CLI Messages	61
Using Command History	61
Changing the Command History Buffer Size	61
Recalling Commands	62
Disabling the Command History Feature	62
Using Editing Features	62
Enabling and Disabling Editing Features	62
Editing Commands through Keystrokes	63
Editing Command Lines that Wrap	64
Searching and Filtering Output of show and more Commands	65
Accessing the CLI	65
Accessing the CLI from a Browser	66
Configuring Catalyst 2955 Switch Alarms	67
Understanding Catalyst 2955 Switch Alarms	67
Global Status Monitoring Alarms	68
FCS Error Hysteresis Threshold	68
Port Status Monitoring Alarms	69
Triggering Alarm Options	69
Configuring Catalyst2955 Switch Alarms	70
Default Catalyst2955 Switch Alarm Configuration	70
Configuring the Power Supply Alarm	71
Setting the Power Mode	71
Setting the Power Supply Alarm Options	71
Configuring the Switch Temperature Alarms	72
Setting a Secondary Temperature Threshold for the Switch	72
Associating the Temperature Alarms to a Relay	73
Configuring the FCS Bit Error Rate Alarm	73
Setting the FCS Error Threshold	74
Setting the FCS Error Hysteresis Threshold	74
Configuring Alarm Profiles	75
Creating or Modifying an Alarm Profile	75
Attaching an Alarm Profile to a Specific Port	76
Enabling SNMP Traps	77
Displaying Catalyst2955 Switch Alarms Status	77
Getting Started with CMS	79
Understanding CMS	79
Front Panel View	79
Topology View	80
CMS Menu Bar, Toolbar, and Feature Bar	80
Online Help	83
Configuration Modes	83
Guide Mode	83
Expert Mode	84
Wizards	84
Privilege Levels	85
Access to Older Switches in a Cluster	85
Configuring CMS	85
CMS Requirements	86
Minimum Hardware Configuration	86
Operating System and Browser Support	86
CMS Plug-In	87
Cross-Platform Considerations	87
HTTP Access to CMS	87
Specifying an HTTP Port (Nondefault Configuration Only)	88
Configuring an Authentication Method (Nondefault Configuration Only)	88
Displaying CMS	88
Launching CMS	88
Front Panel View	91
Topology View	92
CMS Icons	93
Where to Go Next	93
Assigning the Switch IP Address and Default Gateway	95
Understanding the Boot Process	95
Assigning Switch Information	96
Default Switch Information	97
Understanding DHCP-Based Autoconfiguration	97
DHCP Client Request Process	98
Configuring DHCP-Based Autoconfiguration	99
DHCP Server Configuration Guidelines	99
Configuring the TFTP Server	100
Configuring the DNS	101
Configuring the Relay Device	101
Obtaining Configuration Files	102
Example Configuration	103
Manually Assigning IP Information	104
Checking and Saving the Running Configuration	105
Modifying the Startup Configuration	105
Default Boot Configuration	106
Automatically Downloading a Configuration File	106
Specifying the Filename to Read and Write the System Configuration	106
Booting Manually	107
Booting a Specific Software Image	107
Controlling Environment Variables	108
Scheduling a Reload of the Software Image	110
Configuring a Scheduled Reload	110
Displaying Scheduled Reload Information	111
Configuring IE2100 CNS Agents	113
Understanding IE2100Series Configuration Registrar Software	113
CNS Configuration Service	114
CNS Event Service	115
NameSpace Mapper	115
What You Should Know About ConfigID, DeviceID, and Host Name	115
ConfigID	115
DeviceID	116
Host Name and DeviceID	116
Using Host Name, DeviceID, and ConfigID	116
Understanding CNS Embedded Agents	117
Initial Configuration	117
Incremental (Partial) Configuration	118
Synchronized Configuration	118
Configuring CNS Embedded Agents	118
Enabling Automated CNS Configuration	118
Enabling the CNS Event Agent	120
Enabling the CNS Configuration Agent	121
Enabling an Initial Configuration	121
Enabling a Partial Configuration	124
Displaying CNS Configuration	125
Clustering Switches	127
Understanding Switch Clusters	128
Command Switch Characteristics	129
Standby Command Switch Characteristics	129
Candidate Switch and Member Switch Characteristics	130
Planning a Switch Cluster	131
Automatic Discovery of Cluster Candidates and Members	131
Discovery through CDP Hops	132
Discovery through Non-CDP-Capable and Noncluster-Capable Devices	133
Discovery through the Same Management VLAN	134
Discovery through Different Management VLANs	135
Discovery of Newly Installed Switches	136
HSRP and Standby Command Switches	137
Virtual IP Addresses	138
Other Considerations for Cluster Standby Groups	138
Automatic Recovery of Cluster Configuration	140
IP Addresses	140
Host Names	141
Passwords	141
SNMP Community Strings	141
TACACS+ and RADIUS	142
Access Modes in CMS	142
Management VLAN	142
LRE Profiles	143
Availability of Switch-Specific Features in Switch Clusters	143
Creating a Switch Cluster	144
Enabling a Command Switch	144
Adding Member Switches	145
Creating a Cluster Standby Group	147
Verifying a Switch Cluster	148
Using the CLI to Manage Switch Clusters	149
Catalyst1900 and Catalyst2820 CLI Considerations	150
Using SNMP to Manage Switch Clusters	150
Administering the Switch	153
Managing the System Time and Date	153
Understanding the System Clock	153
Understanding Network Time Protocol	154
Configuring NTP	155
Default NTP Configuration	156
Configuring NTP Authentication	156
Configuring NTP Associations	158
Configuring NTP Broadcast Service	159
Configuring NTP Access Restrictions	160
Configuring the Source IP Address for NTP Packets	162
Displaying the NTP Configuration	163
Configuring Time and Date Manually	163
Setting the System Clock	164
Displaying the Time and Date Configuration	164
Configuring the Time Zone	165
Configuring Summer Time (Daylight Saving Time)	166
Configuring a System Name and Prompt	168
Default System Name and Prompt Configuration	168
Configuring a System Name	168
Configuring a System Prompt	169
Understanding DNS	169
Default DNS Configuration	170
Setting Up DNS	170
Displaying the DNS Configuration	171
Creating a Banner	171
Default Banner Configuration	171
Configuring a Message-of-the-Day Login Banner	172
Configuring a Login Banner	173
Managing the MAC Address Table	173
Building the Address Table	174
MAC Addresses and VLANs	174
Default MAC Address Table Configuration	175
Changing the Address Aging Time	175
Removing Dynamic Address Entries	176
Configuring MAC Address Notification Traps	176
Adding and Removing Static Address Entries	178
Configuring Unicast MAC Address Filtering	179
Displaying Address Table Entries	180
Managing the ARP Table	180
Configuring Switch-Based Authentication	181
Preventing Unauthorized Access to Your Switch	181
Protecting Access to Privileged EXEC Commands	182
Default Password and Privilege Level Configuration	182
Setting or Changing a Static Enable Password	183
Protecting Enable and Enable Secret Passwords with Encryption	184
Disabling Password Recovery	185
Setting a Telnet Password for a Terminal Line	186
Configuring Username and Password Pairs	187
Configuring Multiple Privilege Levels	188
Setting the Privilege Level for a Command	188
Changing the Default Privilege Level for Lines	189
Logging into and Exiting a Privilege Level	190
Controlling Switch Access with TACACS+	190
Understanding TACACS+	190
TACACS+ Operation	192
Configuring TACACS+	192
Default TACACS+ Configuration	193
Identifying the TACACS+ Server Host and Setting the Authentication Key	193
Configuring TACACS+ Login Authentication	194
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	196
Starting TACACS+ Accounting	197
Displaying the TACACS+ Configuration	197
Controlling Switch Access with RADIUS	198
Understanding RADIUS	198
RADIUS Operation	199
Configuring RADIUS	200
Default RADIUS Configuration	200
Identifying the RADIUS Server Host	201
Configuring RADIUS Login Authentication	203
Defining AAA Server Groups	205
Configuring RADIUS Authorization for User Privileged Access and Network Services	207
Starting RADIUS Accounting	208
Configuring Settings for All RADIUS Servers	209
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	209
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	210
Displaying the RADIUS Configuration	211
Configuring the Switch for Local Authentication and Authorization	212
Configuring the Switch for Secure Shell	213
Understanding SSH	213
SSH Servers, Integrated Clients, and Supported Versions	213
Limitations	214
Configuring SSH	214
Configuration Guidelines	214
Cryptographic Software Image Guidelines	215
Setting Up the Switch to Run SSH	215
Configuring the SSH Server	216
Displaying the SSH Configuration and Status	217
Configuring 802.1x Port-Based Authentication	219
Understanding 802.1x Port-Based Authentication	219
Device Roles	220
Authentication Initiation and Message Exchange	221
Ports in Authorized and Unauthorized States	222
802.1x Accounting	223
Supported Topologies	223
Using 802.1x with Port Security	224
Using 802.1x with Voice VLAN Ports	225
Using 802.1x with VLAN Assignment	225
Using 802.1x with Guest VLAN	226
Configuring 802.1x Authentication	227
Default 802.1x Configuration	227
802.1x Configuration Guidelines	228
Upgrading from a Previous Software Release	229
Enabling 802.1x Authentication	229
Configuring the Switch-to-RADIUS-Server Communication	231
Enabling Periodic Re-Authentication	232
Manually Re-Authenticating a Client Connected to a Port	233
Changing the Quiet Period	233
Changing the Switch-to-Client Retransmission Time	233
Setting the Switch-to-Client Frame-Retransmission Number	234
Configuring the Host Mode	235
Configuring a Guest VLAN	236
Resetting the 802.1x Configuration to the Default Values	236
Configuring 802.1x Authentication	237
Configuring 802.1x Accounting	238
Displaying 802.1x Statistics and Status	239
Configuring Interface Characteristics	241
Understanding Interface Types	241
Access Ports	242
Trunk Ports	242
Port-Based VLANs	243
EtherChannel Port Groups	243
Connecting Interfaces	244
Using the Interface Command	244
Procedures for Configuring Interfaces	245
Configuring a Range of Interfaces	245
Configuring and Using Interface-Range Macros	247
Configuring Ethernet Interfaces	248
Default Ethernet Interface Configuration	249
Configuring Interface Speed and Duplex Mode	250
Configuration Guidelines	250
Setting the Interface Speed and Duplex Parameters on a Non-LRE Switch Port	252
Setting the Interface Speed and Duplex Parameters on an LRE Switch Port	252
Configuring Media Types for Gigabit Ethernet Interfaces on LRE Switches	253
Configuring IEEE 802.3z Flow Control on Gigabit Ethernet Ports	253
Adding a Description for an Interface	254
Monitoring and Maintaining the Interfaces	255
Monitoring Interface and Controller Status	255
Clearing and Resetting Interfaces and Counters	256
Shutting Down and Restarting the Interface	257
Configuring Smartports Macros	259
Understanding Smartports Macros	259
Configuring Smartports Macros	260
Default Smartports Macro Configuration	260
Smartports Macro Configuration Guidelines	261
Creating Smartports Macros	262
Applying Smartports Macros	263
Applying Cisco-Default Smartports Macros	264
Displaying Smartports Macros	266
Configuring LRE	267
Understanding LRE Features	267
Ports on the Catalyst 2950 LRE Switches	267
LRE Links and LRE Profiles	268
LRE Profiles	268
LRE Sequences	271
CPE Ethernet Links	272
LRE Link Monitor	273
LRE Message Logging Process	274
Configuring LRE Ports	274
Default LRE Configuration	275
Environmental Guidelines for LRE Links	275
Guidelines for Using LRE Profiles	276
CPE Ethernet Link Guidelines	277
Guidelines for Configuring Cisco 575 LRE CPEs and 576 LRE 997 CPEs	277
Guidelines for Configuring Cisco 585 LRE CPEs	278
Assigning a Global Profile to All LRE Ports	278
Assigning a Profile to a Specific LRE Port	279
Assigning a Global Sequence to All LRE Ports	279
Assigning a Sequence to a Specific LRE Port	280
Using Rate Selection to Automatically Assign Profiles	280
Precedence	281
Profile Locking	281
Link Qualification and SNR Margins	282
Configuring LRE Link Persistence	285
Configuring LRE Link Monitor	286
Configuring LRE Interleave	286
Configuring Upstream Power Back-Off	287
Configuring CPE Toggle	288
Configuring Syslog Export	288
Upgrading LRE Switch Firmware	289
Configuring for an LRE Upgrade	290
Performing an LRE Upgrade	290
Global Configuration of LRE Upgrades	291
Controller Configuration of LRE Upgrades	291
LRE Upgrade Details	292
LRE Upgrade Example	292
Displaying LRE Status	293
Configuring STP	295
Understanding Spanning-Tree Features	295
STP Overview	296
Spanning-Tree Topology and BPDUs	297
Bridge ID, Switch Priority, and Extended System ID	298
Spanning-Tree Interface States	298
Blocking State	300
Listening State	300
Learning State	300
Forwarding State	300
Disabled State	301
How a Switch or Port Becomes the Root Switch or Root Port	301
Spanning Tree and Redundant Connectivity	302
Spanning-Tree Address Management	302
Accelerated Aging to Retain Connectivity	302
Spanning-Tree Modes and Protocols	303
Supported Spanning-Tree Instances	303
Spanning-Tree Interoperability and Backward Compatibility	304
STP and IEEE 802.1Q Trunks	304
Configuring Spanning-Tree Features	305
Default Spanning-Tree Configuration	305
Spanning-Tree Configuration Guidelines	306
Changing the Spanning-Tree Mode	307
Disabling Spanning Tree	308
Configuring the Root Switch	308
Configuring a Secondary Root Switch	310
Configuring the Port Priority	311
Configuring the Path Cost	313
Configuring the Switch Priority of a VLAN	314
Configuring Spanning-Tree Timers	315
Configuring the Hello Time	315
Configuring the Forwarding-Delay Time for a VLAN	316
Configuring the Maximum-Aging Time for a VLAN	316
Configuring Spanning Tree for Use in a Cascaded Stack	317
Displaying the Spanning-Tree Status	318
Configuring MSTP	319
Understanding MSTP	320
Multiple Spanning-Tree Regions	320
IST, CIST, and CST	320
Operations Within an MST Region	321
Operations Between MST Regions	321
Hop Count	322
Boundary Ports	323
Interoperability with 802.1D STP	323
Understanding RSTP	324
Port Roles and the Active Topology	324
Rapid Convergence	325
Synchronization of Port Roles	326
Bridge Protocol Data Unit Format and Processing	327
Processing Superior BPDU Information	328
Processing Inferior BPDU Information	328
Topology Changes	328
Configuring MSTP Features	329
Default MSTP Configuration	330
MSTP Configuration Guidelines	330
Specifying the MST Region Configuration and Enabling MSTP	331
Configuring the Root Switch	332
Configuring a Secondary Root Switch	334
Configuring the Port Priority	335
Configuring the Path Cost	336
Configuring the Switch Priority	337
Configuring the Hello Time	337
Configuring the Forwarding-Delay Time	338
Configuring the Maximum-Aging Time	339
Configuring the Maximum-Hop Count	339
Specifying the Link Type to Ensure Rapid Transitions	340
Restarting the Protocol Migration Process	340
Displaying the MST Configuration and Status	341
Configuring Optional Spanning-Tree Features	343
Understanding Optional Spanning-Tree Features	343
Understanding Port Fast	344
Understanding BPDU Guard	344
Understanding BPDU Filtering	345
Understanding UplinkFast	345
Understanding Cross-Stack UplinkFast	347
How CSUF Works	347
Events that Cause Fast Convergence	349
Limitations	349
Connecting the Stack Ports	350
Understanding BackboneFast	351
Understanding EtherChannel Guard	353
Understanding Root Guard	353
Understanding Loop Guard	354
Configuring Optional Spanning-Tree Features	354
Default Optional Spanning-Tree Configuration	355
Optional Spanning-Tree Configuration Guidelines	355
Enabling Port Fast	355
Enabling BPDU Guard	356
Enabling BPDU Filtering	357
Enabling UplinkFast for Use with Redundant Links	358
Enabling Cross-Stack UplinkFast	359
Enabling BackboneFast	360
Enabling EtherChannel Guard	360
Enabling Root Guard	361
Enabling Loop Guard	361
Displaying the Spanning-Tree Status	362
Configuring VLANs	363
Understanding VLANs	363
Supported VLANs	364
VLAN Port Membership Modes	365
Configuring Normal-Range VLANs	366
Token Ring VLANs	367
Normal-Range VLAN Configuration Guidelines	367
VLAN Configuration Mode Options	368
VLAN Configuration in config-vlan Mode	368
VLAN Configuration in VLAN Configuration Mode	368
Saving VLAN Configuration	369
Default Ethernet VLAN Configuration	369
Creating or Modifying an Ethernet VLAN	370
Deleting a VLAN	372
Assigning Static-Access Ports to a VLAN	373
Configuring Extended-Range VLANs	374
Default VLAN Configuration	374
Extended-Range VLAN Configuration Guidelines	374
Creating an Extended-Range VLAN	375
Displaying VLANs	376
Configuring VLAN Trunks	377
Trunking Overview	377
802.1Q Configuration Considerations	378
Default Layer 2 Ethernet Interface VLAN Configuration	379
Configuring an Ethernet Interface as a Trunk Port	379
Interaction with Other Features	380
Configuring a Trunk Port	380
Defining the Allowed VLANs on a Trunk	381
Changing the Pruning-Eligible List	382
Configuring the Native VLAN for Untagged Traffic	383
Load Sharing Using STP	384
Load Sharing Using STP Port Priorities	384
Load Sharing Using STP Path Cost	386
Configuring VMPS	387
Understanding VMPS	387
Dynamic Port VLAN Membership	388
VMPS Database Configuration File	388
Default VMPS Client Configuration	389
VMPS Configuration Guidelines	389
Configuring the VMPS Client	390
Entering the IP Address of the VMPS	390

Match case Limit results 1 per page

29-15

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

78-11380-10

Chapter 29

Configuring Network Security with ACLs

Configuring ACLs

When making the standard and extended ACL, remember that, by default, the end of the ACL contains

an implicit

deny statement for everything if it did not find a match before reaching the end. For standard

ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is

assumed to be the mask.

After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACEs

to a specific ACL. However, you can use

no permit

and

no deny

commands to remove ACEs from a

named ACL. This example shows how you can delete individual ACEs from a named ACL:

Switch(config)#

ip access-list extended border-list

Switch(config-ext-nacl)#

no permit ip host 10.1.1.3 any

Being able to selectively remove lines from a named ACL is one reason you might use named ACLs

instead of numbered ACLs.

After creating an ACL, you must apply it to a line or interface, as described in the

“Applying ACLs to

Terminal Lines or Physical Interfaces” section on page 29-19

Applying Time Ranges to ACLs

You can implement extended ACLs based on the time of day and week by using the

time-range

global

configuration command. First, define the name and times of the day and week of the time range, and then

reference the time range by name in an ACL to apply restrictions to the access list. You can use the time

range to define when the permit or deny statements in the ACL are in effect. The

time-range

keyword

and argument are referenced in the named and numbered extended ACL task tables in the

“Creating

Standard and Extended IP ACLs” section on page 29-7

, and the

“Creating Named Standard and

Extended ACLs” section on page 29-13

These are some of the many benefits of using time ranges:

•

You have more control over permitting or denying a user access to resources, such as an application

(identified by an IP address mask pair and a port number).

•

You can control logging messages. ACL entries can log traffic at certain times of the day, but not

constantly. Therefore, you can simply deny access without having to analyze many logs generated

during peak hours.

Note

The time range relies on the switch system clock. Therefore, you need a reliable clock source. We

recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. For more

information, see the

“Managing the System Time and Date” section on page 8-1

Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL:

Step 5

show access-lists

[

number

name

]

Show the access list configuration.

Step 6

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Command

Purpose

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

time-range

time-range-name

Identify the time-range by a meaningful name (for example,

workhours

and enter time-range configuration mode. The name cannot contain a

space or quotation mark and must begin with a letter.