Cisco Systems 3560

1-9

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 1 Overview

Features

• Standard and extended IP access control lists (ACLs) for defining security policies in both

directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port

ACLs)

• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2

interfaces

• VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on

information in the MAC, IP, and TCP/UDP headers

• Source and destination MAC-based ACLs for filtering non-IP traffic

• IPv6 ACLs to be applied to interfaces to filter IPv6 traffic:

• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers

• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP

snooping database and IP source bindings

• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP

requests and responses to other ports in the same VLAN

• IEEE 802.1Q tunneling so that customers with users at remote sites across a service-provider

network can keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure

that the customer’s network has complete STP, CDP, and VTP information about all users

• Layer 2 point-to-point tunneling to facilitate the automatic creation of EtherChannels

• Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors

• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining

access to the network. These features are supported:

–

Multidomain authentication (MDA) to allow both a data device and a voice device, such as an

IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled

switch port

–

Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an

MDA-enabled port

–

VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN

–

Port security for controlling access to 802.1x ports

–

Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized

or unauthorized state of the port

–

IP phone detection enhancement to detect and recognize a Cisco IP phone.

–

Guest VLAN to provide limited services to non-802.1x-compliant users

–

Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have

the credentials to authenticate via the standard 802.1x processes

–

802.1x accounting to track network usage

–

802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a

specific Ethernet frame

–

802.1x readiness check to determine the readiness of connected end hosts before configuring

IEEE 802.1x on the switch

–

Voice aware 802.1x security to apply traffic violation actions only on the VLAN on which a

security violation occurs.

–

MAC authentication bypass to authorize clients based on the client MAC address.