Managing Networks and Network Devices S7C10 – Access Control Managing Networks and Network Devices
Access Policies Manage Network Devices User access via VLAN management Physical Security Access Control to devices via data communications User access via VLAN management Access to servers and services Define traffic permitted in and out of switch block Define filtering to core block and between switch blocks
Three-Layer Hierarchical Cisco Model Access Allows legitimate users into network Port security and passwords Distribution Layer 3 routing decisions; home of most access policy Ensures only necessary traffic gets to core Advertises correct routing and service information for core Core Little or no policy control Pass information as quickly as possible
Device Management Physical security Passwords Privilege levels Establish configurations for access policies Provide proper physical environment Control direct access to devices Secure access to network links Passwords (out-of-band) Console, Auxiliary, (in-band) TFTP CiscoWorks 2000, VTY ports Login with password or login authentication Privilege levels Restrict virtual terminal and telnet access Session timeouts
Privilege Levels 0 disable, enable, exit, help, logout Not included for levels greater than 0 1-15 define commands Privilege exec level 2 ping Privilege exec level show ip route
Virtual Terminal Access 5 VTY lines by default; more can be defined Access-class applies access lists HTTP Authentication can be enforced Ip http authentication [aaa|enable|local]
Access Layer Policy Port Security VLAN Management Limit MAC addresses that are allowed to use switch Lockdown – MAC address different from configured address Not usually available for trunk ports Static – assigned Dynamic– first address seen on port Set port security 3/1 enable aab.bcc.dde.eff Port secure [max-mac-count 6] -- can range 1-132 VLAN Management Can move management vlan from VLAN 1
Distribution Layer Policy Define user traffic between VLANs Define which routes are seen by core block Define which services will be advertised Control information with filters Standard and extended access lists Access-list, access-group, access-class, distributge-list In general, outbound list processes more efficiently than inbound list
Filtering Routing Update Traffic Reduces size of routing table at core clock Presvents users from getting to networks that have not been advertised Prevents incorrect information from propagating Route summarization Distribution lists Which routes the distribution layer can advertise
Core Layer QoS Congestion management and avoidance Queuing Minimize use of access lists
CWI A GUI alternative to the CLI and Simple Network Management Protocol (SNMP) interfaces the CWI provides a real-time graphical representation of the switch and detailed information, such as port status, module status, type of chassis, and modules. Uses HTTP to download Catalyst CV from the server to the client. HTTP is the TCP/IP protocol that the World Wide Web uses to exchange HTML documents.
CWI The Catalyst® Web Interface (CWI) is a browser-based tool Can use to configure the Catalyst 6000, 5000, and 4000 Family Switches. Consists of a graphical user interface (GUI) that runs on the client, Catalyst CV 5.0 (Catalyst version of CiscoView 5.0), and an HTTP server that runs on the switch.