Cisco Systems NME-16ES-1G manual Security Features

Page 9

Cisco EtherSwitch Service Modules Feature Guide

Information About the Cisco EtherSwitch Service Modules

Voice VLAN for creating subnets for voice traffic from Cisco IP phones.

VLAN 1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent or received on the trunk. The Cisco EtherSwitch service module CPU continues to send and receive control protocol frames.

Security Features

Note The Kerberos feature listed in this section is available only on the cryptographic versions of the Cisco EtherSwitch service module software image.

Password-protected access (read-only and read-write access) to management interfaces for protection against unauthorized configuration changes

Multilevel security for a choice of security level, notification, and resulting actions

Static MAC addressing for ensuring security

Protected port option for restricting the forwarding of traffic to designated ports on the same Cisco EtherSwitch service module

Port security option for limiting and identifying MAC addresses of the stations allowed to access the port

Port security aging to set the aging time for secure addresses on a port

BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs

Standard and extended IP access control lists (ACLs) for defining security policies in both directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs)

Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces

VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on information in the MAC, IP, and TCP/User Datagram Protocol (UDP) headers

Source and destination MAC-based ACLs for filtering non-IP traffic

DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers

IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network

802.1x with VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN

802.1x with port security for controlling access to 802.1x ports

802.1x with voice VLAN to permit IP phone access to the voice VLAN regardless of the authorized or unauthorized state of the port

802.1x with guest VLAN to provide limited services to non-802.1x-compliant users

TACACS+, a proprietary feature for managing network security through a TACACS server

RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through authentication, authorization, and accounting (AAA) services

Cisco IOS Release 12.2(25)SEC

9

Page 8 Page 10
Image 9
Page 8 Page 10
Contents Release Modification GuideContents Hardware Overview Network Modules Hardware Installation GuideSoftware Features and Benefits Performance Features Ease-of-Use and Ease-of-Deployment FeaturesManagement Options Availability Features Manageability FeaturesVlan Features Security Features QoS and CoS Features Monitoring Features Power-over-Ethernet FeaturesCisco StackWise Concepts Overview of Switch StacksSwitch Stack Membership Stack Master Election and Re-Election Stack Member Numbers Switch Stack Bridge ID and Router MAC AddressStack Member Priority Values Stack Protocol Version Compatibility Switch Stack Software Compatibility RecommendationsSwitch Stack Configuration Files Switch Stack Management Connectivity Accessing the CLI of a Specific Stack Member Clustering ConceptsManagement Connectivity to Specific Stack Members Command Device Characteristics Standby Command Device CharacteristicsCluster Compatibility Candidate and Member Characteristics Automatic Discovery of Candidates and MembersDiscovery of Candidates and Members Through CDP Hops Vlan Discovery of Candidates and Members Through Different VLANs Discovery of Candidates and Members Through Routed Ports SwitchNew out-of-box Discovery of Newly Installed Switches in ClustersHsrp and Standby Cluster Command Switches Other Considerations for Cluster Standby Groups Virtual IP Addresses in ClustersAutomatic Recovery of Cluster Configuration Hostnames in Clusters IP Addresses in ClustersSwitch Clusters and Switch Stacks Passwords in ClustersSwitch Stack Switch Cluster Snmp Community Strings in ClustersSwitch Stack Switch Cluster TACACS+ and Radius in Clusters Availability of Switch-Specific Features in Switch ClustersCisco IOS Release 12.225SEC Using Interface Configuration Mode Boot flash image-name Command or Action PurposeExample Dir flashShow running configuration EnableConfigure terminal Service-module interface slot/port sessionOutput of the show service-module status command Show power inlineShow ip interface brief Control+shift+6Sample Output for the boot flash Command on the Router Sample Output for the dir flash Command on the RouterRouter boot flashc2800-adventerprisek9-mz ExamplesRouter# configure terminal Router# show running config interface gigabitethernet2/0Router# service-module gigabitethernet2/0 session Switch dir flashSwitch# ctrl+shift+6 Switch# show ip interface briefSwitch# show power inline Sample Output for Pressing Ctrl+Shift+6 Followed byDhcp Feature Default SettingSTP Prerequisites Clustering Concepts section on Return Sample Output for Assigning the IP Address and Subnet Mask Sample Output for Entering an Interface NameCommand or Action Purpose Sample Output for Saving the Configuration to NvramRouter# service-module gigabitethernet1/0 shutdown Router# service-module gigabitethernet1/0 resetRouter# service-module gigabitethernet1/0 reload Cisco IOS Release 12.225SEC Restrictions Default Switch Stack ConfigurationAssigning a Stack Member Number Sample Output for the reload slot Command Sample Output for the switch renumber CommandShow switch Switchconfig# switch 6 renumberSample Output for the show switch Command Setting the Stack Member Priority ValueSample Output for the switch priority Command Verifying Information About the Switch StackSwitchconfig# switch 2 priority Switch show switchSwitch# show platform stack-manager all Show switch stack-ports Switchconfig# show switch neighborsUsing the CLI to Manage Switch Clusters RcommandShow version Sample Output for the show cluster members Command Sample Output for the rcommand and show version CommandsChoose View Refresh Choose Cluster Add to Cluster or Cluster member PasswordDetailed Steps from the CLI Creating a Cluster Standby GroupRouting-redundancy Cluster standby-group HSRP-group-nameNo switchport Sample Output for the ping tftpserver Command Sample Output for the copy tftp flash Command Sample Output for the show flash CommandSwitch# show flash Switch# copy tftp flashService-module interface slot/port password-reset Flashinit Recovering from a Corrupted Software Image Using XmodemPassword-reset Service-module interface slot/portFlashinit Control+6Troubleshooting Sample Output for the copy flash xmodem CommandRouter# copy flash xmodem Router# copy tftp xmodem Sample Output for the copy tftp xmodem CommandRouter# service-module gigabitethernet2/0 password-reset Router# service-module gigabitethernet1/0 sessionRecovering from a Lost or Forgotten Password Optional loadhelper filesystem/file-url Enable secret password Boot -x -v deviceimagenameRename Copy flashReload Copy running-configuration startup-configurationOptional set Boot Service-module password-reset commandSample Output for the set Command ExampleSet Scenario Action Result Current-stack-member-number Renumber new-stack-member-number Network Configuration Examples Network Demands Suggested Design Methods Cost-Effective Wiring Closet Redundant Gigabit Backbone Cisco SoftPhone Software Gigabit servers POP Technical Assistance Related DocumentsRelated Topic Document Title Description Link
Top Page Image Contents