Switch Security; Network Security - Cisco ME 3400 Software Configuration Manual

Chapter 1 Overview
•
•
•

Switch Security

The Kerberos feature listed in this section is only available on the cryptographic versions of the switch
Note
software.
•
•
•
•
•
•
•
•
•
•
•
•

Network Security

•
•
•
•
OL-9639-07
DHCP Snooping Statistics show and clear commands to display and remove DHCP snooping
statistics in summary or detail form
IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
Password-protected access (read-only and read-write access) to management interfaces for
protection against unauthorized configuration changes
Configuration file security so that only authenticated and authorized users have access to the
configuration file, preventing users from accessing the configuration file by using the password
recovery process
Multilevel security for a choice of security level, notification, and resulting actions
Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
Port security aging to set the aging time for secure addresses on a port
LLDP (Link Layer Discovery Protocol) and LLLDP-MED (Media Extensions)—Adds support for
IEEE 802.1AB link layer discovery protocol for interoperability in multi-vendor networks. Switches
exchange speed, duplex, and power settings with end devices such as IP Phones.
UNI and ENI default port state is disabled
Automatic control-plane protection to protect the CPU from accidental or malicious overload due to
Layer 2 control traffic on UNIs or ENIs
Configurable control plane security that provides service providers with the flexibility to drop
customers control-plane traffic on a per-port, per-protocol basis. Allows configuring of ENI protocol
control packets for CDP, STP, LLDP, (LACP, or PAgP.
TACACS+, a proprietary feature for managing network security through a TACACS server
RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users
through authentication, authorization, and accounting (AAA) services
Kerberos security system to authenticate requests for network resources by using a trusted third
party (requires the cryptographic versions of the switch software)
Static MAC addressing for ensuring security
Standard and extended IP access control lists (ACLs) for defining security policies in both directions
on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)
IPv6 ACLs to be applied to interfaces to filter IPv6 traffic
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
Features
1-7