Port Security - Cisco Catalyst 4500 Series Configuration Manual

Security Features
The switch supports the following applications of ACLs to filter traffic:
•
•
•
•
For information on ACLs, MACLs, VLAN maps, MAC address filtering, and Port ACLs, see
Chapter 51, "Configuring Network Security with ACLs."

Port Security

Port security restricts traffic on a port based upon the MAC address of the workstation that accesses the
port. Trunk port security extends this feature to trunks, including private VLAN isolated trunks, on a
per-VLAN basis.
Sticky port security extends port security by saving the dynamically learned MAC addresses in the
running configuration to survive port link down and switch reset. It enables a network administrator to
restrict the MAC addresses allowed or the maximum number of MAC addresses on each port.
Voice VLAN sticky port security further extends the sticky port security to the voice-over-IP
deployment. Voice VLAN sticky port security locks a port and blocks access from a station with a MAC
address different from the IP phone and the workstation behind the IP phone.
For information on port security, see
PPPoE Intermediate Agent
PPPoE Intermediate Agent (PPPoE IA) is placed between a subscriber and BRAS to help the service
provider BRAS distinguish between end hosts connected over Ethernet to an access switch. On the
access switch, PPPoE IA enables Subscriber Line Identification by appropriately tagging Ethernet
frames of different users. (The tag contains specific information such as which subscriber is connected
to the switch and VLAN.) PPPoE IA acts as mini-security firewall between host and BRAS by
intercepting all PPPoE Active Discovery (PAD) messages on a per-port per-VLAN basis. It provides
specific security feature such as verifying the intercepted PAD message from untrusted port, performing
per-port PAD message rate limiting, inserting and removing VSA tags into and from PAD messages,
respectively.
For information on PPPoE IA, see
Storm Control
Broadcast suppression is used to prevent LANs from being disrupted by a broadcast storm on one or
more switch ports. A LAN broadcast storm occurs when broadcast packets flood the LAN, creating
excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in
the network configuration can cause a broadcast storm. Multicast and broadcast suppression measures
how much broadcast traffic is passing through a port and compares the broadcast traffic with some
configurable threshold value within a specific time interval. If the amount of broadcast traffic reaches
the threshold during this interval, broadcast frames are dropped, and optionally the port is shut down
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
1-36
MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN
interface.
Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic.
Router ACLs, which are applied to Layer 3 interfaces to control the access of routed traffic between
VLANs.
VLAN ACLs or VLAN maps to control the access of all packets (bridged and routed).
Chapter 47, "Configuring Port Security."
Chapter 45, "Configuring the PPPoE Intermediate Agent."
Chapter 1 Product Overview
OL-25340-01