Sample Switch Configurations - Appendixes - CCNP Security SISAS 300-208 Official Cert Guide (2015)

CCNP Security SISAS 300-208 Official Cert Guide (2015)

Part VIII: Appendixes

Appendix D. Sample Switch Configurations

This appendix includes some full sample configurations of various device types with multiple IOS versions, all designed to follow the guidelines and practices laid out throughout the chapters of this book.

Many commands will be identical with each platform because there are only minor variances between the switch platforms and the features they support. For specific explanations of each command, please see Chapter 12, “Implement Wired and Wireless Authentication.”

Catalyst 2960/3560/3750 Series, 12.2(55)SE

With this model and IOS version, there is no device sensor. Therefore, the SNMP commands are there to allow ISE to do profiling via probing the switch with SNMP.

3560-X# show run
Building configuration...

Current configuration : 22928 bytes
!
version 12.2
hostname 3560-X
logging monitor informational
username radius-test password 0 Cisco123
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 1440
!
!Dynamic Authorization is the official term for CoA, which allows a RADIUS server
to send commands to the NAD to change the authorization for the endpoint
aaa server radius dynamic-author
client 10.1.103.232 server-key Cisco123
!
aaa session-id common
authentication mac-move permit
ip routing
!
ip domain-name ise.local
ip name-server 10.1.100.100
! IP Device Tracking is required in order to insert the client IP address into
downloadable ACLs (dACLs).
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-4076357888
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4076357888
revocation-check none
rsakeypair TP-self-signed-4076357888
!
!
crypto pki certificate chain TP-self-signed-4076357888
certificate self-signed 01
quit
!
dot1x system-auth-control
!
interface Loopback0
ip address 192.168.254.60 255.255.255.255
!
interface range <ALL EDGE PORTS>
switchport access vlan 41
! VLAN 41 is the data VLAN for this particular switch. This will vary in your
environment.
switchport mode access
switchport voice vlan 99
! VLAN 99 is the voice VLAN in this particular switch. This will vary in your
environment
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan40
ip address 10.1.40.60 255.255.255.0
!
!
ip http server
ip http secure-server
!
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly prevent DNS from being redirected to accommodate certain
switches
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
remark all other traffic will be implicitly denied from the redirection
!
ip radius source-interface Loopback0
! The following logging commands should be used ONLY when troubleshooting,
or doing an initial roll-out. Sending all the syslog to the MNT node can be
overwhelming and affect performance and storage.
See Chapter 22, “Troubleshooting Tools,” for more information.
logging origin-id ip
logging source-interface Loopback0
logging host 10.1.103.4 transport udp port 20514
! Cisco ISE Monitoring uses a nontraditional port for Syslog. It uses 20514
instead of 514.
!
! The following SNMP commands are used because this switch version does not have
Device Sensor capabilities.
snmp-server community CiscoPressRO RO
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server host 10.1.103.231 version 2c CiscoPressRO
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
! The definitions of these attributes and their importance are covered in detail
in Chapter 12, "Implement Wired and Wireless Authentication."
radius-server dead-criteria time 5 tries 3
radius-server host 10.1.103.232 auth-port 1812 acct-port 1813 key Cisco123
radius-server vsa send accounting
radius-server vsa send authentication
!
end

Catalyst 3560/3750 Series, 15.0(2)SE

Depending on your hardware version of your 3750 or 3560 catalyst switch, you might be able to upgrade to 15.x code. With this model and IOS version, you will gain the device sensor capability described in detail in Chapter 15, “Profiling.” Therefore, the SNMP commands will not be used, and the switch is using device sensor commands instead. Additionally, version 15.x support both IPv4 and IPv6, so the RADIUS server host definitions are very different from the 12.x version configuration.

C3750X# show run brief
Building configuration...

Current configuration : 18936 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C3750X
!
boot-start-marker
boot-end-marker
!
logging monitor informational
!
username radius-test password 0 Cisco123
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 1440
!
!
aaa server radius dynamic-author
client 10.1.103.231 server-key Cisco123
client 10.1.103.4 server-key Cisco123
!
aaa session-id common
clock timezone EDT -1 0
authentication mac-move permit
ip routing
!
!
ip dhcp snooping vlan 10-13
ip dhcp snooping
ip domain-name ise.local
ip device tracking
!
! Device Sensors enables ISE to gather raw endpoint information and send that
information to ISE in a RADIUS accounting packet.
device-sensor filter-list cdp list my_cdp_list
tlv name device-name
tlv name platform-type
!
device-sensor filter-list lldp list my_lldp_list
tlv name port-id
tlv name system-name
tlv name system-description
!
device-sensor filter-list dhcp list my_dhcp_list
option name host-name
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list my_dhcp_list
device-sensor filter-spec lldp include list my_lldp_list
device-sensor filter-spec cdp include list my_cdp_list
device-sensor accounting
device-sensor notify all-changes
!
epm logging
!
crypto pki trustpoint TP-self-signed-254914560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-254914560
revocation-check none
rsakeypair TP-self-signed-254914560
!
!
crypto pki certificate chain TP-self-signed-254914560
certificate self-signed 01
!
dot1x system-auth-control
!
interface Loopback0
ip address 192.168.254.1 255.255.255.255
!
interface <ALL EDGE PORTS>
switchport access vlan 10
! VlAN 10 is the data VLAN for this particular switch. It may differ in your
environment.
switchport mode access
switchport voice vlan 99
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 10
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping information option allow-untrusted
!
! There are more VLANs on this switch than the 12.x version above, because it was
in a different part of the network with different requirements. The author has
left the configuration this way to show that these are but sample configurations,
and you have many options.
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
!
interface Vlan20
ip address 10.1.20.1 255.255.255.0
!
interface Vlan30
ip address 10.1.30.1 255.255.255.0
!
interface Vlan99
ip address 10.1.99.1 255.255.255.0
!
!
ip http server
ip http secure-server
!
!
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly prevent DNS from being redirected to address
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
remark all other traffic will be implicitly denied from the redirection
ip access-list extended AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
!
ip radius source-interface Loopback0
ip sla enable reaction-alerts
logging origin-id ip
logging source-interface Loopback0
logging host 10.1.103.4 transport udp port 20514
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
!
radius server CP-02
address ipv4 10.1.100.232 auth-port 1812 acct-port 1813
automate-tester username radius-test
key Cisco123
!
end

Catalyst 4500 Series, IOS-XE 3.3.0/15.1(1)SG

The Catalyst 4500 chassis-based switch has a supervisor engine that will run IOS-XE. With this model and IOS version, you gain the device sensor capability described in detail in Chapter 15. Therefore, the SNMP commands will not be used, and the switch is using device sensor commands instead.

4503#show run brief
Building configuration...
Current configuration : 35699 bytes
!
!
version 15.1
!
hostname 4503
!
!
username radius-test password 0 Cisco123
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 1440
!
!
aaa server radius dynamic-author
client 10.1.103.232 server-key Cisco123
!
aaa session-id common
!
ip domain-name ise.local
!
ip device tracking
!
device-sensor filter-list cdp list my_cdp_list
tlv name device-name
tlv name platform-type
!
device-sensor filter-list lldp list my_lldp_list
tlv name port-id
tlv name system-name
tlv name system-description
!
device-sensor filter-list dhcp list my_dhcp_list
option name host-name
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list my_dhcp_list
device-sensor filter-spec lldp include list my_lldp_list
device-sensor filter-spec cdp include list my_cdp_list
device-sensor accounting
device-sensor notify all-changes
epm logging
!
!
crypto pki trustpoint CISCO_IDEVID_SUDI
revocation-check none
rsakeypair CISCO_IDEVID_SUDI
!
crypto pki trustpoint CISCO_IDEVID_SUDI0
revocation-check none
!
!
crypto pki certificate chain CISCO_IDEVID_SUDI
certificate 238FC0E90000002BFCA1
certificate ca 6A6967B3000000000003
crypto pki certificate chain CISCO_IDEVID_SUDI0
certificate ca 5FF87B282B54DC8D42A315B568C9ADFF
!
dot1x system-auth-control
!
!
vlan 40
name jump
!
vlan 41
name data
!
vlan 99
name voice
!
interface <ALL EDGE PORTS>
switchport access vlan 41
switchport mode access
switchport voice vlan 99
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping information option allow-untrusted
!
interface Vlan1
no ip address
!
interface Vlan40
ip address 10.1.40.2 255.255.255.0
!
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.40.1
!
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly prevent DNS from being redirected to address
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
remark all other traffic will be implicitly denied from the redirection
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3radius-server vsa send accounting
radius-server vsa send authentication
!
!
radius server CP-02
address ipv4 10.1.100.232 auth-port 1812 acct-port 1813
automate-tester username radius-test
key Cisco123
!


!
end

Catalyst 6500 Series, 12.2(33)SXJ

The Catalyst 6500 chassis-based switch has a supervisor engine that will run the IOS 12.2(33)SX versions. With this model and IOS version, you will need to use SNMP for profiling because there is no device sensor. Additionally, there is no support for critical voice.

hostname 6503
logging monitor informational
username radius-test password 0 Cisco123
!
aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 1440
!
!
aaa server radius dynamic-author
client 10.1.103.232 server-key Cisco123
!
aaa session-id common
authentication mac-move permit
ip routing
!
ip domain-name ise.local
ip name-server 10.1.100.100
ip device tracking
!
!
crypto pki trustpoint TP-self-signed-4076357888
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4076357888
revocation-check none
rsakeypair TP-self-signed-4076357888
!
!
crypto pki certificate chain TP-self-signed-4076357888
certificate self-signed 01
quit
!
dot1x system-auth-control
!
interface Loopback0
ip address 192.168.254.1 255.255.255.255
!
interface <ALL EDGE PORTS>
switchport access vlan 10
switchport mode access
switchport voice vlan 99
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 10
! - Note: No Critical Voice VLAN Support on 6500's yet
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan40
ip address 10.1.40.1 255.255.255.0
!
!
ip http server
ip http secure-server
!
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
deny ip any any
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
remark explicitly prevent DNS from being redirected
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
!
ip radius source-interface Loopback0
logging origin-id ip
logging source-interface Loopback0
logging host 10.1.103.4 transport udp port 20514
!
snmp-server community CiscoPressRO RO
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.1.103.232 auth-port 1812 acct-port 1813 key Cisco123
radius-server vsa send accounting
radius-server vsa send authentication
!
end