Go to page of
Similar user manuals
-
Switch
Cisco Systems 2940
444 pages 5.33 mb -
Switch
Cisco Systems IE20004TSL
110 pages 7.73 mb -
Switch
Cisco Systems IE301016S8PC
26 pages 3.01 mb -
Switch
Cisco Systems 520
64 pages 8.2 mb -
Switch
Cisco Systems 4948E
162 pages 10.51 mb -
Switch
Cisco Systems IE 3000
32 pages 1.85 mb -
Switch
Cisco Systems WSC2960X48TSL
112 pages 3.1 mb -
Switch
Cisco Systems UCSFI6248E1628P
10 pages 0.4 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of Cisco Systems OL-5650-02, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Cisco Systems OL-5650-02 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of Cisco Systems OL-5650-02. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of Cisco Systems OL-5650-02 should contain:
- informations concerning technical data of Cisco Systems OL-5650-02
- name of the manufacturer and a year of construction of the Cisco Systems OL-5650-02 item
- rules of operation, control and maintenance of the Cisco Systems OL-5650-02 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Cisco Systems OL-5650-02 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Cisco Systems OL-5650-02, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Cisco Systems service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Cisco Systems OL-5650-02.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the Cisco Systems OL-5650-02 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Cisco Content S er vices S witc h S ecurity Conf iguration Guide Sof twa re V er sion 7 .50 Marc h 2005 Text Part Number: O L-5650-02[...]
-
Page 2
THE SPECIFICA T IONS AND INFORMA TION REGARDING THE PRODUCTS IN THIS MAN U AL ARE SUBJECT TO CHANGE WITHOUT NO TICE. ALL ST A TEMENTS, INFORMA TION, AND RECOMMENDA TION S IN THIS MANUAL ARE BELIEVED T O BE A CCURA TE BUT ARE PRESENTED WITHOUT W ARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST T AKE FULL RESPONSIBILITY FO R THEIR APPLICA TION OF[...]
-
Page 3
iii Cisco Content Services Switch Security Configuration Guide OL-5650-02 CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.com xvii Documentation DVD xviii Ordering Documentation xviii Documentation Feedback xviii Cisco Product Security Overview xix [...]
-
Page 4
Contents iv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Admi nistrative Access to the CSS 1-10 Enabling Administrativ e Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Cr[...]
-
Page 5
v Cisco Content Services Switch Security Configuration Guide OL-5650-02 Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Cl[...]
-
Page 6
Contents vi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Global TACACS+ Keepalive Fre quency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Acco unting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 C[...]
-
Page 7
vii Cisco Content Services Switch Security Configuration Guide OL-5650-02 FIG UR ES Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled o n the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11[...]
-
Page 8
Figures viii Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]
-
Page 9
ix Cisco Content Services Switch Security Configuration Guide OL-5650-02 TABLES T able 1-1 ACL Configuration Quick Start 1-16 T able 1-2 Clause Command Option s 1-21 T able 1-3 Field Descriptions for the show acl Command Output 1-31 T able 1-4 Field Descriptions for the show nql Command Output 1-38 T able 2-1 Field Descriptions for the show sshd co[...]
-
Page 10
Tables x Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]
-
Page 11
xi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface This guide provides in structions fo r configuring the securi ty features of th e Cisco 11500 Series Co ntent Services Switches (CSS). Information in this guide applies to all CSS models except where noted . The CSS software is a vailable in a Stan dard or optional Enh[...]
-
Page 12
Preface Audience xii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Audience This guide is intended for the follo wing trained and qualif ied service personnel who are responsible for conf iguring the CSS: • We b m a s t e r • System adminis trator • System operator How to Use This Guide This guide is or ganized as foll[...]
-
Page 13
xiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Related Documentation In addition to thi s guide, the Content Se rvices Switch docume ntation includes the follo wing publications. Document T itle Description Release Note for the Cisco 11500 Series Content Services Switc h This release note pr[...]
-
Page 14
Preface Related Do cumentation xiv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Cisco Conte nt Services Switch Adm inistrati on Guide This guide de scribes how to perform adm inistrative tasks on the CSS, including upg rading your CSS software and co nfigu ring the follo wing: • Logging, includi ng displaying log messages[...]
-
Page 15
xv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Cisco Conte nt Services Switch Cont ent Load-Balancing Conf iguratio n Guide This guide describes ho w to perform CSS content load-balancing configur ation tasks, in cluding: • Flo w and port mapping • Services • Service, global, and script [...]
-
Page 16
Preface Symbols and Conventions xvi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Symbols and Conventions This guide u ses the fol lowing symbols and conv entions to identify d if ferent ty pes of informatio n. Caution A caution means that a specific action you take co uld cause a loss of data or adversely impact use of the [...]
-
Page 17
xvii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and te xt you enter in a command line. Italics text indicates the first occurrence of a ne w term, book title, emphasize[...]
-
Page 18
Preface Documentation Feedba ck xviii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Documentation DVD Cisco documentation and additi onal litera ture are a vailable in a Documentation D VD package, which m ay hav e shipped w ith your produc t. The Document ation D VD is updated regularly an d may be more current than pri nte[...]
-
Page 19
xix Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Cisco Product Security O verview Y ou can submit comments by using th e response card (if present) behind the front cov e r of your document or b y writing to the follo wing address: Cisco Systems Attn: Customer Document Or dering 170 W est T asman Driv e San Jose, CA[...]
-
Page 20
Preface Obtaining Technical Assistance xx Cisco Content Services Switch Security Configuration Guide OL-5650-02 • Nonemergencies — psirt@cisco.com Ti p W e encourage you to use Pretty Good Pri vac y (PGP) or a compatible produ ct to encrypt any sensiti ve information that you send to Cisco. PSIR T can work from encrypted information that is com[...]
-
Page 21
xxi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Techn ical Assistance Access to all tools on the Cisco T echni cal Support W ebsite requires a Cisco.com user ID and password. If you hav e a valid service contract b ut do not hav e a user ID or password, you can re gister at this URL: http://tools.cisco.co[...]
-
Page 22
Preface Obtaining Additional Publ ications and Information xxii Cisco Content Services Switch Security Configuration Guide OL-5650-02 For a complete list of Cisco T A C contacts, go to this URL: http://www .cisco.com/t echsupport/contacts Definitions of Service Request Severity T o ensure that all service req uests are reported in a standard format[...]
-
Page 23
xxiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Additional Public ations and Information • Pa c k e t magazine is the C isco System s technical user magazine for maximizing Internet and netw orking in vestments. Each quarter , Packet deli vers co verage of the latest industry trends, tech nology break[...]
-
Page 24
Preface Obtaining Additional Publ ications and Information xxiv Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]
-
Page 25
CH A P T E R 1-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 1 Controlling CSS Access This chapter describes how to config ure access to the CSS including network traf fic. Information in this chapter applie s to all models of the CSS, except where noted. This chapter contains t he follo wing major sections: • Changing t[...]
-
Page 26
Chapter 1 Controlling CSS Access Changing the Administra tive Username and Pa ssword 1-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Changing the Administrative Username and Password During the initial log in to the CSS you enter the def ault user name admin and the default passw ord system in lo wercase text. F or securit[...]
-
Page 27
1-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds Creating Usernames and Passwords Logging into the CSS requ ires a username and passw ord. The CSS supports a maximum of 32 usernames, inclu ding the administrator and tech nician usernames. Y ou can assign eac[...]
-
Page 28
Chapter 1 Controlling CSS Access Creating Usernames and Passwords 1-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • password - Specif ies the password is not en crypted. Use this option when you use the CLI to dynamically create use rs. • password - The p assword. Enter an unquoted te xt string with no spaces and a len[...]
-
Page 29
1-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds • access - Specifies directory access privileg es for the username. By default, users hav e both read- and write-acces s pr i vileges (B) to all se ven directories. Enter , in order , one of the followi ng a[...]
-
Page 30
Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Remote User Access to the CSS T o control access to th e CSS, you can config ure the CSS to authenti cate remote (virtual) or console users. The CSS can a u thenticate users by using the lo[...]
-
Page 31
1-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Configuring Virtual Authentication V irtual authentication allo ws remote users to log in to the CSS when they are using FTP , T elnet, SSHD, or the Device Management user interface wi th or without re[...]
-
Page 32
Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o remov e users currently logged in to th e CSS, use the disconnect command. T o define th e T A CA CS+ server as the p rimary virtual authentication method, enter: #(config) virtual authentication p[...]
-
Page 33
1-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS • secondary - Defines the seco nd authentication method that the CSS u ses if the fi rst method fails. The d efault secondar y console authenticatio n method is to disallow all user access. Note If y[...]
-
Page 34
Chapter 1 Controlling CSS Access Controlling Administra tive Access to the CSS 1-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Administrati ve Access to the CSS CSS access through a console, FTP , SSH, SNMP , and T elnet is enabled by default. The CSS su pports a maximum of four FTP sessions and a max imum of [...]
-
Page 35
1-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS • no restrict xml - Enables t he transfer of XML conf iguration f iles to the CSS through unsecu re HTTP connection s (disabled by default). • no restrict web-mgmt - Enables De vice M anagement[...]
-
Page 36
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • re strict se cure -xml - Disables the transfer of XML configuration f iles to the CSS through secure HTTPS SSL conn ections (d isabled by default). • re strict xml - Disabl e[...]
-
Page 37
1-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • Logging A CL Acti vity • A CL Example ACL Overview A CLs configured on the CSS provide a ba sic le vel of security for accessing your network. W ithout A CLs on the CSS, al[...]
-
Page 38
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, Figure 1-2 shows three VLAN circui ts on the CSS. Figure 1 -2 ACLs Enabled on the CSS For VLAN1, if you w ant to allow any TC P traf fic to the destination V IP addre[...]
-
Page 39
1-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Enabling A CLs globally af fects all traf fic on all CSS circui ts whether they h av e A CLs or not. When you enable A CLs, all tr aff ic on a c ircuit that is not conf igured in[...]
-
Page 40
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T able 1 -1 ACL Confi guration Quic k Start T ask and Command Example 1. Enter global conf iguration mode. # config (config)# 2. Create an A CL and access A C L mode. Enter an A CL[...]
-
Page 41
1-17 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists The follo w ing running-conf ig example sho ws the result of entering the commands in Ta b l e 1 - 1 . !**************************** ACL **************************** acl 7 clause[...]
-
Page 42
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-18 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note If a circuit does not have an A CL, the CSS applies an implicit “deny all” clause to this circuit causing th e CSS to deny all traf fic on it. T o create an A CL and acces[...]
-
Page 43
1-19 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 4. Apply another A CL on the circuit. I f you do not apply an A CL on the circuit, the CSS denies traff ic on the circu it when you enable A CLs on the CSS. 5. Reenable all A CLs[...]
-
Page 44
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-20 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • clause numbe r bypass - Creates a clause in the A CL to permit traffic on a circuit and bypasses (d oes not process) c ontent rules that apply to the traff ic. The syntax for c[...]
-
Page 45
1-21 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Ta b l e 1 - 2 provides v ariables and options for the clause command. Bolded sy ntax defines keyw ords that you e nter on the comm and line. Italics de fine v ariab les where yo[...]
-
Page 46
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-22 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sour ce_port The source port for the traf fic. If yo u do not designate a source port, this clause allo ws traff ic from any port number . E nter one of the follo wing: • eq port[...]
-
Page 47
1-23 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists destination_port The desti nation port. Enter one of the follo wing. Y ou may use a port number or port name with th e options. • eq port is equal to the port n umber . • lt [...]
-
Page 48
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-24 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sourcegroup name The source group a s the destina t ion for the traf fic. Enter the group name. T o see a list of source grou ps, enter: show group ? Note The clause number bypass [...]
-
Page 49
1-25 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists After you create clauses for an ACL, you ca n apply the A CL to a circuit. For more informatio n, see the “ A pplying an A CL to a Circuit or DNS Queries” section. Adding a C[...]
-
Page 50
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-26 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, you apply A CL 7 to VLAN1 and then globally enable A CLs on the CSS. At a later time, to add a new clause to A CL 7 and to hav e the clause take effect on the CSS, en[...]
-
Page 51
1-27 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Note When you remov e an applied A CL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traf fic on it. If you want [...]
-
Page 52
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-28 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ho wev er , if you conf igure a CSS with the d ns-ser ver command, and the CSS recei ves a DNS query fo r a domain name that you conf igured on the CSS using the host command, the [...]
-
Page 53
1-29 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 2. In A CL mode, remove the A CL from the circuit. (config-acl[7])# remove circuit-(VLAN1) 3. Make any changes to the A CL. If you delete an A CL from the circuit, conf igure ano[...]
-
Page 54
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-30 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the global configuration acl enable command to enable all A CLs on the CSS. T o globally enable all A CLs, enter: (config)# acl enable Disabling ACLs on the CSS If you need to [...]
-
Page 55
1-31 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • DNS Hits - Pack ets that match an A CL clause for DNS f lo ws when an A CL clause is applied to DNS queries. Th e display includes a DNS hit counter , which counts DNS look u[...]
-
Page 56
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-32 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Show ACL Counters to Zero Use the zero counts com mand to reset the content and DNS hit coun ters in the show acl command screen to zero for a specif ic ACL. Y ou mu st[...]
-
Page 57
1-33 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists T o enable logging on an existing A CL clause, us e the log en able option for th e clause command and enter: (config-acl[7])# clause 1 log enable If A CLs are globally enabled o[...]
-
Page 58
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-34 Cisco Content Services Switch Security Configuration Guide OL-5650-02 5. Reapply the A CL to the circuit. (config-acl[7])# apply circuit-(VLAN1) 6. In global configuration m ode, reenable a ll A CLs on the CSS. (config)# acl enable T o globally disab[...]
-
Page 59
1-35 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs !**************************** ACL *************************** acl 1 clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15 clause 30 permit any 172.16.107.0 255.255.255.0 destina[...]
-
Page 60
Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-36 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Creating an NQL Enter the name of the ne w NQL you want to create or an e xisting NQL. Enter the name as an unquoted te xt string with no spaces and a maximum of 31 characters. Y ou can create a m[...]
-
Page 61
1-37 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs The v ariables and options are: • ip_addr ess - The destination network addr ess. Enter the IP address in dotted-decimal notation (for e x ample, 192.168.0.0) . • subnet_pref ix | subnet_mask -[...]
-
Page 62
Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-38 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Adding an NQL to an ACL Clause T o add an NQL to an A CL clause: 1. Create the A CL. For example, enter: (config)# acl 10 2. Define the clause, incl uding the NQ L as either a source or destinatio[...]
-
Page 63
CH A P T E R 2-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 2 Configuring the Secure Shell Daemon Protocol The Secure Shell Daemon (SSHD) prot ocol provide s secure encr ypted communications between two hosts communicating o ver an insecure network. The CSS supports an implemen tation of OpenSSH to pr ovide this secure co[...]
-
Page 64
Chapter 2 Configuring t he Secure Shell Daemon Protocol Enabling SSH 2-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 This chapter contains t he follo wing major sections: • Enabling SSH • Config uring SSH Access • Config uring SSHD in the CSS • Config uring T elnet Access When Using SSHD • Showing SSHD Configurat[...]
-
Page 65
2-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuri ng SSH Access Configuring SSH Access SSH access to the CSS is enabled by default through the no restrict ssh command. Y ou can verify the SSH access se lection in the running-config f ile. T o enhance security w[...]
-
Page 66
Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring SSHD in the CSS 2-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the sshd keepalive command to enable SSHD keepaliv e. SSHD keepali ve is enabled by default. T o enable sending SSHD keepali ves to the client, enter: (config)# sshd keepalive T o disable [...]
-
Page 67
2-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Note The valid range for this comma nd is 512 to 1024. Howe ver , to m aintain backward compatibility wi th version 5.00, the CSS allo ws you to enter a value from 512 to 32768. If you enter a [...]
-
Page 68
Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring Telnet Acc ess When Using SSHD 2-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring Telnet Access When Using SSHD By default, T elnet access to the CSS is enabled. When you use SSH D, you can disable nonsecure T elnet access to the CSS. T o enhance [...]
-
Page 69
2-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Showing SSHD Configuratio ns T o display the SSHD sessions, enter: # show sshd sessions Listen Socket Count The number of sock ets that SSHD is cu rrently listen ing on (not currently co nfigurable, def ault is 1). Listen[...]
-
Page 70
Chapter 2 Configuring t he Secure Shell Daemon Protocol Showing SSHD Configurations 2-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ta b l e 2 - 2 describes the fields in the show sshd sessions command output. T o display the SSHD v ersion, enter: # show sshd version SSHield version 1.5, SSH version OpenSSH_3.0.2p1 T able [...]
-
Page 71
CH A P T E R 3-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 3 Configuring the CSS as a Client of a RADIUS Server The Remote Authentication Dial-In User Servi ce (RADIUS) protocol is a distribu ted client/server pr otocol that protects networks ag ainst unauthorized access. RADIUS uses the User Data gram Protocol (UDP) to [...]
-
Page 72
Chapter 3 Configuring the CSS as a Client of a RADIUS Server 3-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In a conf iguration where b oth a primary RA DIUS serv er and a seco ndary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS automatically tran smits a k eepalive authent[...]
-
Page 73
3-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server RADIUS Configuration Quick Start RADIUS Configuration Quick Start Ta b l e 3 - 1 provides a quic k overvie w of the steps required to c onfigure the RADIUS feature on a CSS. Each ste p includes the CLI command requi[...]
-
Page 74
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Serv er for Use with the CSS 3-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 3 - 1 . !*************************** GLOBAL ******************[...]
-
Page 75
3-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Configuring Authentication Settings T o configure the authentication settings on Cisco Secure A CS, go to the Network Config uration section of the Cisco Secure A CS [...]
-
Page 76
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Primary RADIUS Server 3-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o add a user to a group, go to the User Setup sectio n of the Cisco Secure A CS HTML interface: • On the User Set up Select page, specify a username. • On the User Set up Edi[...]
-
Page 77
3-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Secondary RADIUS Server T o remove a primary RADIUS server , enter: (config)# no radius-server primary Specifying a Secondary RADIUS Server The CSS directs authentication requests to the secondary RADIU[...]
-
Page 78
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RA DIUS Server Timeouts 3-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring the RADIUS Server Timeouts By default, th e CSS waits 10 seco nds for the RADIUS serv er (primary or secondary) to repl y to an authentication request before retra[...]
-
Page 79
3-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Dead-Time T o reset the RADIUS server retransmit request to the default of 3 r et ran sm is sio ns , enter: (config)# no radius-server retransmit Configuring the RADIUS Server Dead-Time[...]
-
Page 80
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o view the authentication statistics for a RADI US secondary ser ver , enter: (config)# show radius statistics secondary Ta b l e 3 - 2 describes the fields in th[...]
-
Page 81
3-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Infor mation Ta b l e 3 - 3 describes the fields in the show radius statistics output. T able 3-3 Field Descriptions f o r the show r adius statistics Command Field Description S[...]
-
Page 82
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]
-
Page 83
CH A P T E R 4-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 4 Configuring the CSS as a Client of a TACACS+ Server The T erminal Access Controller Access Control System (T A CACS+) protocol provides access cont rol for routers, netw ork access servers (N AS), or other devices through one or mo re daemon se rvers. T A CA CS[...]
-
Page 84
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server TACACS+ Configuration Quick Start 4-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 TACACS+ Configuration Quick Start Ta b l e 4 - 1 provides a quic k overvie w of the steps required to c onfigure the T ACA CS+ feature on a CSS. Each step include s the CLI comman[...]
-
Page 85
4-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User A ccounts for Use with the CSS The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 4 - 1 . !************************** GLOBAL *****[...]
-
Page 86
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User Accounts for Use with the CSS 4-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • K ey - Enter the shared secret that the CSS and Cisco Se cure A CS us e to authenticate transactions . For correct operation , you must specify the[...]
-
Page 87
4-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes 4. Proceed next to Unmatched Commands, either permit or d eny e xecution of the pri vilege command: • For a user that has SuperUser pri vileges on the CSS, click Perm it . A[...]
-
Page 88
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ A ttributes 4-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note The timeout, encryption k ey , or keepali ve frequency that you define wh en you configure a T ACA CS+ server o verrid es the global attribute (see the “Defining a TA [...]
-
Page 89
4-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes Defining a Global Encryption Key The CSS allo ws you to def ine a global encryption ke y for communications with all configured T A CA CS+ servers. T o encrypt T A CACS+ packe[...]
-
Page 90
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 When it sends a keepaliv e to the T ACA CS+ server , the CSS attempts to use a persistent connection with the serv er . If the server is not conf igured for persistence, the CSS opens a n[...]
-
Page 91
4-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Note For general guideli nes on the recommended setup of a T A CA CS+ server (the Cisco Secure Access Control Serv er in this example), see the “ T AC AC S+ Config uration Quick Start”[...]
-
Page 92
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Defin ing this option o verrides the tacacs-server key command. F or more information on defining a gl obal encryption ke y , see the “Defining a Global Encryption Key” section. • [...]
-
Page 93
4-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Authorization Setting TACACS+ Authorization T ACA CS+ authorization allo ws the T A CACS+ serv er to control specif ic CSS commands that the user can execute. C SS authorization di vides the comman[...]
-
Page 94
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Sending Full CSS Commands to the TACACS+ Server 4-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In releases prior to 7.30.1.05 , if you transitioned from one CLI mod e to another (for ex ample, from conf ig mode to service mode), and a ser vice already ex iste[...]
-
Page 95
4-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Accounting T o reenable the CSS to send t he full command syntax, use the taca cs-ser ver send-full-command command. F or example: #(config) tacacs-server send-full-command Setting TACACS+ Accounti[...]
-
Page 96
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Showing TACACS+ Server Configuration Information Use the show tacacs-server command to display the T A CA CS+ server confi guration information. T o view this inf[...]
-
Page 97
4-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Infor mation Authorize Conf ig Commands Indicates whether configuration commands receiv e authorization Authorize Non-Conf ig Indicates whether nonconfiguration commands recei [...]
-
Page 98
Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]
-
Page 99
CH A P T E R 5-1 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 5 Configuring Firewall Load Balancing This chapter descri bes how to configure the CSS Firew all Load Balanc ing (FWLB) feature. Informati on in this chapte r applie s to all CSS mod els, except where noted. This chapter contains t he follo wing major sections:[...]
-
Page 100
Chapter 5 Configurin g Firewall Load Balancing Overview of FWLB 5-2 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Overview of FWLB FWLB enables you to conf igure a maximum of 15 fire walls per CSS. Config uring multiple f irewalls can o vercome performance limitations and remov e the single point of fai lure when all traff [...]
-
Page 101
5-3 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Firewall Synchronization Fire wall solutions provi ding Stateful Inspectio n, such as Check Point ™ FireW all-1 ® , create and maintain virt ual state for all connections through their devices, e ven for st[...]
-
Page 102
Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-4 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Y ou must define f irewal l parameters for each path through the f irewalls on bo th local and r emote CSSs. Us e the ip fi rewall command t o defin e fire wall parameters. The syntax for this glob al conf igura[...]
-
Page 103
5-5 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Use the ip fir ewall timeout number command to specify the number of seconds the CSS will wait to recei ve a keepali v e message from the remote CSS before declaring the firew all unreacha ble.The timeout rang[...]
-
Page 104
Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-6 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 • inde x - An ex isting inde x number for the f irew all route. For information on config uring a f ire wall inde x, see the ip f irewall command. • distance - The optional administrati ve distance. Ente r a[...]
-
Page 105
5-7 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB T o stop adv ertising f irew all routes, enter: (config)# no ospf redistribute firewall Configuring RIP to Advertise Firewall Routes T o adver tise fire wall routes from other p rotocols through RIP , use the [...]
-
Page 106
Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-8 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 T o conf igure CSS-A (the client side of the network co nfiguratio n) as sho wn in Figure 5-1 : 1. Use the ip fir ewall command to define f irewall 1. For e xample: (config)# ip firewall 1 192.168.28.1 192.168.2[...]
-
Page 107
5-9 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Figure 5-1 illu strates the configur ation def ined in the f irewall command s. Figur e 5-1 Example of FWLB CSS-B CSS-A Server1 Client Firew all 2 Firew all 1 Client Server2 Ser ver3 Internet Router Client 192[...]
-
Page 108
Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-10 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Configuring FWLB with VIP and Virtual Interface Redundancy Config ure FWLB with VIP and virtual interf ace redundancy to provide the follo wing benefits: • V ery fas[...]
-
Page 109
5-11 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy In Figure 5-2 , odd-numbered f irew alls are conn ected to the Layer 2 switches servicing the CSS-OUT -L and CSS-IN-L CSSs. Even-numb ered fire walls are connected t[...]
-
Page 110
Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-12 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 If the f ire wall supports i t, you can use multinetting b y configuring mu ltiple addresses on the f i re wall. If the f irewa ll does not support multipl e addresses[...]
-
Page 111
5-13 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy Example of Firewall and Route Configurations The follo wing ip fir ewall and ip route exampl e conf igurations are v alid for Figure 5-2 with four act iv e fire wall[...]
-
Page 112
Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-14 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 CSS-IN-L Configuration ip firewall 1 10.3.200.1 10.2.200.1 10.2.1.254 ip firewall 2 10.3.200.2 10.2.200.2 10.2.1.254 ip firewall 3 10.3.200.3 10.2.200.3 10.2.1.254 ip [...]
-
Page 113
5-15 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall Flow Summaries Displaying Firewall Flow Summaries Use the sh ow flow s command to display the flo w summary for a source IP address, or for a specific source address an d its destinatio n IP address on a S[...]
-
Page 114
Chapter 5 Configurin g Firewall Load Balancing Displaying Firewall IP Routes 5-16 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Ta b l e 5 - 1 describes the fields in the show flo ws output. Displaying Firewall IP Routes Use the show i p ro u t es fi rew a ll command to display all static f irewa ll routes. For exa mpl e: ([...]
-
Page 115
5-17 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall IP Information Displaying Firewall IP Information Use the show ip f irewall command to display the conf igured v alues of the IP fire wall keepali ve timeout and the state of each f irewa ll path conf igur[...]
-
Page 116
Chapter 5 Configurin g Firewall Load Balancing Displaying Firewa ll IP Information 5-18 Cisco Content Services Switch Security Configura tion Guide OL-5650-02[...]
-
Page 117
IN-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 INDEX A Access Control Lists. See ACLs ACLs adding an NQL to a clause 1-38 applying to a circuit 1-27 clause number 1-19 configuration example 1-34 configuring 1-15 configuring clauses 1-19 creating 1-17 definition 1-13 deletin g 1-18 disabling globally 1-30 disabling loggin[...]
-
Page 118
Index IN-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 configuration example ACL 1-34 firewall load balancing 5-7 configuratio n quick start ACL 1-15 configuring ACL 1-12 CSS as RADIUS client 3-1 CSS as TACACS+ clien t 4-8 source group in an A CL 1-24 static proximity in ACL clause 1-25 user name and p assword 1-3 console [...]
-
Page 119
IN-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index FTP enabling access 1-10 restricting access to the CSS 1-11 I IP route firewall load balancing , displaying 5-16, 5-17 static, for firewall load balancing 5-5 K keepalive ACL example 1-34 L license ke y Enhanced feat ure set 2-2 Proximity Database 2-2 license key, Sec [...]
-
Page 120
Index IN-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 R RADIUS Cisco Secure Access Control Server (ACS) 3-4 console authentication 1-8 CSS as RADIUS client, configuri ng 3-1 displaying c onfiguration i nformation 3-9 overview 3-1 primary RADIUS server 3-6 RADIUS server host parameters 3-1 running-config examp le 3-4 secon[...]
-
Page 121
IN-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index T TACACS+ accounting, setting 4-13 authentication, setting 4-11 Cisco Secure Access Control Server (ACS) 4-3 console authentication 1-8 CSS as client, configuring 4-8 displaying c onfiguration i nformation 4-14 global encryptio n key 4-7 global keepalive f requency 4-7[...]
-
Page 122
Index IN-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]