Security Features - Cisco IE-3000-8TC Software Configuration Manual

Features

Security Features

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cisco IE 3000 Switch Software Configuration Guide
1-8
IP Service Level Agreements (IP SLAs) responder support that allows the switch to be a target
device for IP SLAs active traffic monitoring
Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to
be authenticated using a web browser
Local web authentication banner so that a custom banner or an image file can be displayed at a web
authentication login screen
Password-protected access (read-only and read-write access) to management interfaces (device
manager, Network Assistant, and the CLI) for protection against unauthorized configuration
changes
Multilevel security for a choice of security level, notification, and resulting actions
Static MAC addressing for ensuring security
Protected port option for restricting the forwarding of traffic to designated ports on the same switch
Port security option for limiting and identifying MAC addresses of the stations allowed to access
the port
VLAN aware port security option to shut down the VLAN on the port when a violation occurs,
instead of shutting down the entire port.
Port security aging to set the aging time for secure addresses on a port
BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs
Standard and extended IP access control lists (ACLs) for defining inbound security policies on
Layer 2 interfaces (port ACLs)
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces
Source and destination MAC-based ACLs for filtering non-IP traffic
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers
IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP
snooping database and IP source bindings
Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP
requests and responses to other ports in the same VLAN
IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining
access to the network. These features are supported:
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an
–
IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled
switch port
– VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN
– Port security for controlling access to 802.1x ports
– Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port
– IP phone detection enhancement to detect and recognize a Cisco IP phone.
– Guest VLAN to provide limited services to non-802.1x-compliant users
– Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes
Chapter 1 Overview
OL-13018-03