Session Aware Networking - Cisco Catalyst 4500 series Administration Manual

Security Features
specific security feature such as verifying the intercepted PAD message from untrusted port, performing
per-port PAD message rate limiting, inserting and removing VSA tags into and from PAD messages,
respectively.
For information on PPPoE IA, see

Session Aware Networking

Session Aware Networking provides an identity-based approach to access management and subscriber
management. It offers a consistent way to configure features across technologies, a command interface
that allows easy deployment and customization of features, and a robust policy control engine with the
ability to apply policies defined locally or received from an external server to enforce policy in the
network.
Session Aware Networking allows a single session identifier to be used for web authentication sessions
in addition to all 802.1X and MAB authenticated sessions for a client. This session ID is used for all
reporting purposes such as show commands, MIBs, and RADIUS messages and allows users to
distinguish messages for one session from messages for other sessions. This common session ID is used
consistently across all authentication methods and features applied to a session.
IPv6 is not supported for web authentication, dot.1X, or MAB.
Note
For additional information, refer to the following URL:
http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-overview.html
Storm Control
Broadcast suppression is used to prevent LANs from being disrupted by a broadcast storm on one or
more switch ports. A LAN broadcast storm occurs when broadcast packets flood the LAN, creating
excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in
the network configuration can cause a broadcast storm. Multicast and broadcast suppression measures
how much broadcast traffic is passing through a port and compares the broadcast traffic with some
configurable threshold value within a specific time interval. If the amount of broadcast traffic reaches
the threshold during this interval, broadcast frames are dropped, and optionally the port is shut down
Starting with Cisco IOS Release 12.2(40)SG, the Catalyst 4500 series switch allows suppression of
broadcast and multicast traffic on a per-port basis.
For information on configuring broadcast suppression, see
uRPF Strict Mode
The uRPF feature mitigates problems caused by the introduction of malformed or forged (spoofed) IP
source addresses into a network by discarding IP packets that lack a verifiable IP source address. uRPF
deflects denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks by forwarding only
packets that have source addresses that are valid and consistent with the IP routing table. This helps to
protect the network of the customer, the ISP, and the rest of the Internet. When using uRPF in strict mode,
the packet must be received on the interface that the router uses to forward the return packet. uRPF strict
mode is supported for both IPv4 and IPv6 prefixes.
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
1-42
Chapter 47, "Configuring the PPPoE Intermediate Agent."
Chapter 57, "Configuring Storm Control."
Chapter 1 Product Overview
OL-30933-01