Security Features - Cisco WS-CBS3032-DEL Software Configuration Manual

Features

Security Features

The switch ships with these security features:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide
1-10
Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to
be authenticated using a web browser.
Password-protected access (read-only and read-write access) to management interfaces (device
manager, Network Assistant, and the CLI) for protection against unauthorized configuration
changes
Multilevel security for a choice of security level, notification, and resulting actions
Static MAC addressing for ensuring security
Protected port option for restricting the forwarding of traffic to designated ports on the same switch
Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
VLAN aware port security option to shut down the VLAN on the port when a violation occurs,
instead of shutting down the entire port
Port security aging to set the aging time for secure addresses on a port
BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on
information in the MAC, IP, and TCP/UDP headers
Source and destination MAC-based ACLs for filtering non-IP traffic
IPv6 ACLs to be applied to interfaces to filter IPv6 traffic
Support for dynamic creation or attachment of an auth-default ACL on a port that has no configured
static ACLs
VACL Logging to generate syslog messages for ACL denied IP packets
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
IEEE 802.1Q tunneling so that customers with users at remote sites across a service-provider
network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure
that the customer's network has complete STP, CDP, and VTP information about all users
Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels
Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors
Flexible-authentication sequencing to configure the order of the authentication methods that a port
tries when authenticating a new host
IEEE 802.1x with open access to allow a host to access the network before being authenticated
Chapter 1 Overview
OL-13270-06