Cisco Systems IE3010

1-7

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 1 Overview

Features

• Local web authentication banner so that a custom banner or an image file can be displ ayed at a web

authentication login screen

• MAC authentication bypass (MAB) aging timer to detect inactive hosts that have authenticated after

they have authenticated by using MAB

• Password-protected access (read-only and read-write access) to management interfaces (device

manager, and the CLI) for protection against unauthorized configuration changes

• Multilevel security for a choice of security level, notification, and resulting actions

• Static MAC addressing for ensuring security

• Protected port option for restricting the forwarding of traffic to designated ports o n the same switch

• Port security option for limiting and identifying MAC addresses of the stations allowed to access

the port

• VLAN aware port security option to shut down the VLAN on the port when a violation occurs,

instead of shutting down the entire port.

• Port security aging to set the aging time for secure addresses on a port

• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs

• Standard and extended IP access control lists (ACLs) for defining security policies in both direct ions

on routed interfaces (router ACLs) and VLANs and inbound on La yer 2 interfaces (port ACLs)

• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2

interfaces

• Source and destination MAC-based ACLs for filtering non-IP traffic

• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers

• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP

snooping database and IP source bindings

• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP

requests and responses to other ports in the same VLAN

• Layer 2 protocol tunneling bypass feature to provide interoperability with third-party vendors

• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining

access to the network. These features are supported:

–

Multidomain authentication (MDA) to allow both a data device and a voice device, such as an

IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled

switch port

–

Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an

MDA-enabled port

–

VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN

–

Port security for controlling access to 802.1x ports

–

Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized

or unauthorized state of the port

–

IP phone detection enhancement to detect and recognize a Cisco IP phone.

–

Guest VLAN to provide limited services to non-802.1x-compliant users

–

Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have

the credentials to authenticate via the standard 802.1x processes

–

802.1x accounting to track network usage