Override Port-Channel Security Configuration

About this task

To configure the port channel's security configuration:

Procedure

  1. Select the Security tab.
    Click to expand in new window
    Profile Overrides - Port Channels - Security Screen
  2. Refer to the Access Control section.
    As part of the port channel‘s security configuration, Inbound IPv4 IP, IPv6 IP, and MAC address firewall rules are required.

    Use the drop-down menus to select the firewall rules to apply to this profile‘s Ethernet port configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances

  3. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific firewall rules to apply to this profile‘s port channel configuration.
    IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.
  4. Use the IPv6 Inbound Firewall Rules drop-down menu to select the IPv6 specific firewall rules to apply to this profile‘s port channel configuration.
    IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
  5. If there is no firewall rule that meets the data protection needs of the target port channel configuration, click the Create icon to define a new rule configuration, or click the Edit icon to modify an existing firewall rule configuration.
  6. Refer to the Trust field to define or override the following:
    Trust ARP Responses Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices within the network. This option is disabled by default.
    Trust DHCP Responses Select this option to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.
    ARP Header Mismatch Validation Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. This option is enabled by default.
    Trust 802.1p COS values Select this option to enable 802.1p COS values on this port. This option is enabled by default.
    Trust IP DSCP Select this option to enable IP DSCP values on this port. This option is enabled by default.
  7. Set the following IPv6 Settings:
    Trust ND Requests Select this option to enable neighbor discovery (ND) request trust on this port channel (neighbor discovery requests received on this port are considered trusted). Neighbor discovery allows the discovery of an adjacent device‘s MAC addresses, similar to Address Resolution Protocol (ARP) on Ethernet in IPv4. The default value is disabled.
    Trust DHCPv6 Responses Select this option to enable DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. The default value is enabled.
    ND Header Mismatch Validation Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This option is disabled by default.
    RA Guard Select this option to enable router advertisements or ICMPv6 redirects from this Ethernet port. Router advertisements are periodically sent to hosts or sends in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is disabled by default.
  8. Click OK to save the changes.
    Click Reset to revert to the last saved configuration.