Cisco Catalyst 2960-X Security Configuration Manual page 38
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Security Features Overview
• Port security option for limiting and identifying MAC addresses of the stations allowed to access the
port
• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,instead
of shutting down the entire port.
• Port security aging to set the aging time for secure addresses on a port.
• Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping packets
that exceed a specified ingress rate.
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.
• Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2
interfaces (port ACLs).
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces.
• Source and destination MAC-based ACLs for filtering non-IP traffic.
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping
database and IP source bindings
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests
and responses to other ports in the same VLAN
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to
the network. These 802.1x features are supported:
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
14
◦ Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP
phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch
port.
To use MDA, the switch must be running the LAN Base image.
Note
◦ Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an
MDA-enabled port.
◦ VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.
◦ Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS server
assigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the same
VLAN. Voice VLAN assignment is supported for one IP phone.
Note
To use this feature, the switch must be running the LAN Base image. Multi-auth host
mode is not supported in LAN Lite image.
◦ Port security for controlling access to 802.1x ports.
◦ Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port.
Security Features Overview
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
